It is virtual machine appliance (standalone), so it is all-in-one type and has internal static IP address. Sponsor Portal should be reached at port 8443 as it is defined and as it was working in earlier version. According to CISCO guide: "Your administrator customizes this URL, but it typically has a format such as: https://ipaddress:portnumber/sponsorportal/PortalSetup.action?portal=portalID or https://sponsorportal.yourcompany.com "

Solved.

I had to add alias in DNS for my ISE server and add FQDN containing that alias in Sponsor Portal settings (Guest acces -> configure -> sponsor portals -> my portal -> FQDN).

You were pretty much right Abraham, but your post wasn't clear for me before, now it is :)

Thanks.

Nice to hear that. I just want to add something to take into account:

When you create the CSR directly from ISE, the documentation says for version 1.2 that you need minimum CN field. I did it and then I started having issues with Chrome Browser/ChromeBook which was triggering a certificate warning even though I had signed it with the correct CA Server and I had the Trusted Certificate Authority included in the browser list.

When I was using 1.1.3, I did not have that problem when using ISE internal CSR feature and only using Common Name (CN) for the CSR.

I tried using Openssl as usual to create the CSR for ISE running 1.2. Signed and imported it into the ISE and the problem was solved. I am using like you FQDN in the WLC URL Redirect on LWA or CWA with the corresponding entry into the DNS. One important thing I found is that openssl uses some additional fields which I included in the CSR and I think after reviewing the ISE 1.2 documentation we need to include those as well in the ISE CSR feature. Looks like also there is a sequence/order for those fields in the ISE when creating the ISE CSR. The list is the following:

countryName       = optional

stateOrProvinceName     = optional

localityName            = optional

organizationName  = optional

organizationalUnitName  = optional

commonName        = supplied

emailAddress            = optional

Finally, with Openssl I could create as well SAN Certificates and I included the IP of the PSN , PAN and MNT ISE's so I would not need the DNS Entry. This feature was added on version 1.2 of the ISE which helps a lot. I will give it a few more testing since that I have a lab deployment with 5 ISE's (PAN, MNT and 3 PSN's).

If I may respectfully interject, the Guest Sponsor Portal is served in the PAN node, I have 4 PSN's and port 8443 is only accessible using wftech on the PAN. There is a lot of confusion on this and I will call TAC now to confirm: here is a excerpt from admin guide:

"Note When the primary Administration ISE node is down, Sponsor administrators cannot create new guest user accounts. During this time, the guest and sponsor portals will provide read-only access to already created guest and sponsor users, respectively. Also, a sponsor administrator who has never logged into the sponsor portal before the primary Administration ISE node went offline, will not be able to log into the sponsor portal until a secondary Administration ISE node is promoted or the primary Administration ISE node becomes available. "

So moral of story is do not Loadbalance guestsponsorurl, just Cname it to the PAN.