WLC型号为 C9800-L-C-K9

AP配置在local 模式 + central web authentication 对接ISE，能正常弹出认证页面并登陆成功

将AP改成flexconnect模式后发现无法弹出认证页面。flexconnect 的配置是按照https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213920-central-web-authentication-cwa-on-cata.html 中 Flexconnect Local Switching Access Points ONLY部分配置的，flexconnect group已经配置了policy acl

AP接连Guest网络时console提示：

Mar  1 08:17:59.123: %CLIENT_EXCLUSION_SERVER-5-ADD_TO_BLACKLIST_REASON_DYNAMIC: Chassis 1 R0/0: wncmgrd: Client MAC: a21e.d39e.5c59 was added to exclusion list associated with AP Name:CN-WF6-AP29, BSSID:MAC: e44e.2d46.1b61, reason:Redirect ACL failure

Mar  1 08:17:59.123: %SESSION_MGR-5-FAIL: Chassis 1 R0/0: wncd: Authorization failed or unapplied for client (a21e.d39e.5c59) on Interface capwap_90000004 AuditSessionID 1F41A60A0000003F448EA6D5. Failure Reason: Redirect ACL Failure.

web页面显示用户状态为 ：web auth pending

但ACL flexconnect 模式和local模式引用的是同一条acl，不太明白local模式能正常认证，flexconnect模式弹不出认证界面，

有没有好的排错思路?