this is what the cisco ise answers (captured with wireshark)

and this is what I called acl by copying and pasting from the name returned by cisco ise

thank you very much for the support

Hello Saikat,

First of all, thank you for your support.

Regarding the show ip access-list command executed directly on one of the APs: it does not return any output. However, when I run the same command on the WLC, I can see the full list of created ACLs, including the Guest_Redirect.

As for the show tech wireless output from the EWC: the result is very large. Could you please let me know which specific section or information you would like me to extract?

I would like to see the mode of APs + config. You can upload a notepad with the show tech wireless output here.

@neccia paolo EWC only supports flexconnect local switching so ACLs applied to client traffic have to be implemented on the AP.  
The fact that you aren't seeing the ACLs suggests your config is wrong - see https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213945-understand-flexconnect-on-9800-wireless.html#toc-hId--2047927279 and https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213920-central-web-authentication-cwa-on-cata.html#toc-hId-814074466

Paste the output from show tech wireless into a text file (.txt) on any text editor like Notepad and then attach the file here.

Hi Rich R,
I believe we have found the error point, that is, my APs are in flex mode. I have created the flex profile as recommended in the guide, but how can I associate it with the profile or the WLAN? At the moment, after modifying the configuration, I receive an ACl Failure error.

As soon as I have the opportunity, I will share the file.

Thank you again.

The Flex Profile is linked to the site tag.
It's clearly explained in the document I already linked in my previous reply:
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213945-understand-flexconnect-on-9800-wireless.html#toc-hId-206864907

Hi Rich R
thank you so much your help has been really helpful,
I receive the authentication page the acl is associated,
I made an acl permet any any but I can't access the page
sniffing the packets I only detect DNS traffic strangely no HTTP traffic
I checked the DNS queries and it actually returns the IP of the cisco ise.

I see the client coming

keep in mind that my ACL is set to permit any any ip

Thanks again for the support

Thanks fo all support @Rich R  now working you are my hero,
only the las qquestion you thinks is possible setting same configuration for the mobility express wlc ?

thanks again !!!!

You're welcome.

According to Table 15 and 16 at https://www.cisco.com/c/en/us/td/docs/wireless/access_point/feature-matrix/ap-feature-matrix.html it should also be supported on ME.

For AireOS see:
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/71881-ext-web-auth-wlc.html
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/115951-web-auth-wlc-guide-00.html