Create a new Web Auth Parameter and in advanced tab copy/paste the ISE portal link to (Redirect for log-in) feild
you can get the link from ISE Sponsored Guest Portal
Now, because ISE portal is using TCP port 8443 which is not included in the “sec” ACL, we need to allow that by creating a new pre-Auth ACL and apply it to the WLAN as below:

conf t
ip access-list extended Local-External-WebAuth
permit tcp any host ISE_IP_ADDRESS eq 8443
permit tcp host ISE_IP_ADDRESS eq 8443 any
permit tcp any any eq domain
permit udp any any eq domain
permit udp any any eq bootpc
permit udp any any eq bootps
deny ip any any
exit

And because we will use ISE to authenticate the users we have to add the below:
conf t
aaa authentication webauth default group your_group_name
exit

Note: Named Method lists is not supported for webauth

from SSID L3 check the Web Policy and select your Web Auth Parameter Map and select the Auth list as default and select the PreAuth ACL
and no need to select any AAA Auth List (802.1x authentication list name) since we already have that as “default” under the Layer3 Auth list (Webauth Authentication List Name)

The policy profile can be anything and there is no need for pre auth url.

You will see two Auth in ISE Logs:
The first one when ise validate the username/password of the user when the user typed it in ISE portal, no policy set will be used here.
The second Auth when the 9800 send the username/pass to ISE to validate those “second time” and ISE will use the policy set to validate it.