Hi Folks,

I have the following odd issue. TAC case open also.

ISE 3.1 (Latest Patch)
WLC 8.10.152 (AP running FlexConnect)

Everything looks to be configured OK and the solution does work as expected after a disconnect / reconnect of the SSID.

Summary below -

Client connects to Guest SSID, gets IP and an attempted redirect to Guest portal on 8843 fails ( should note that at this point when I run a port scan against the PSN from my testing device whilst connected, 8443 shows NOT open but 80 and 443 show open which seems odd.)

The client is hitting the correct AUTHZ within ISE and I can see the redirect URL including my FlexConnect ACL being returned. The WLC also shows the client in WEB_AUTH state with Flex Pre Auth ACL name. When I then check the actual Access Point I am associated to I can see I am in WEB_AUTH state but the Flex ACL is not actually applied to the client session when I check "show client access-list pre-auth all client-mac". The ACL is however on the Access Point so it does exist on there for sure.

As soon as I disconnect from the SSID and reconnect the web redirect works straight away and when checking the AP again I can see the ACL is applied to the client and then everything works as expected.

I should note that after the reconnect to the SSID, the same ISE AUTHZ rules are being hit as before so nothing has changed in terms of flow. I have tried all types of devices, Apple, Windows, Android etc.. and have the same issue.
The fact that everything works after I reconnect to the SSID suggests that fundamentally all the working parts are in place and working but something odd is happening somewhere

I have also tested with 2 different PSNs within my deployment and limited my testing now to a single PSN.

Anyone experienced similar or have any suggestions?

Thanks