Problem:
1.Portal error
2.Certificate alert when the browser redirected to ISE portal

Log Analysis:
ISE sent its system certificate without intermediate and root CA

Fix:
1.Disable Radius accouting in anchor controller
2.we restart the ISE application from CLI to rebuild the certificate chain

Note:
Due to Cisco bug ID CSCul83594 you cannot run accounting on both anchor and foreign because it causes the profiling to become inaccurate due to a potential lack of IP-to-MAC binding.

For the certificate chain issue, it could also be a defect as ISE is runing patch 5 which is an old version, there are several defects fixed for certificates in the latest patch of 2.4

Here is the ISE CWA document about the “disabling accounting in anchor controller”
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html#anc11


WLC shows that AuthZ Profile is applied:
*apfReceiveTask: Nov 27 17:41:13.726: X0:X0:X0:X0:X0:X0 AAA Override Url-Redirect-Acl 'ACL_REDIRECT' mapped to ACL ID 5 and Flexconnect ACL ID 65535

However the WLC struggles to communicate with the Radius server after this:
*aaaQueueReader: Nov 27 17:41:16.601: X0:X0:X0:X0:X0:X0 NAI-Realm not enabled on Wlan, radius servers will be selected as usual

We reviewed the WLC configuration, the SSID had no Authentication / Accounting server selected, we added this to the configuration, the Guest portal was displayed as expected after that