Is this what you are looking for? If not could you point me in the right direction?

this is good, also the ACL, are you seeing hits on REDIRECT ACL ? ideally you also want to add send another guest DACL as part of authorization at this stage which allows access to ISE, DNS, DHCP and blocks all other access for security purpose.

These are the hits that I am seeing on the ACL. I am planning on doing that as the customer only wants them to have access to the Internet. I am sadly hung up on trying to just get this redirect to work. Also not sure if this helps, but I can manually go to the page. via the URL. Just doesn't happen automatically.

seems good so far, assuming there is no additional ACLs or Firewall, http service is enabled, AAA overide and NAC state is enabled, if you paste the url from ISE into clients browser is it reaching the redirect page ?

Yes, it does reach the page when i copy it the URL to the client. I do have ip http server, and webauth-http-enable is not in the config like the guide said. Is there anything that might be causing this? Or anything that might help shed light on this?

problem so far seems to be on WLC, in packet 39 so you see the ISE url sent to client in capture, on packet 43 is that query to ISE FQDN ?  whats the version/patch on WLC and ISE ? also will you be comfortable sharing embedded packet capture from WLC and TCp dump from ISE while testing ?

It is ISE 3.2 with patch 3, and WLC is 17.9.4a.

This is what I see in 39. It is the fully qualified name.

on 43 it is doing a dns query for the FQDN of the ISE appliance.

Sorry I was using a different wireshark, same results though

looks good, I am sure you have tried on multiple devices, I don't see any known bugs related to this issue on this version,  you can also review this guide, may be you spot something you haven't checked yet, else recommend opening a case.

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/220852-troubleshoot-central-web-authentication.html#toc-hId-1441757191

I'll review it, and see if I missed something. Otherwise I will open a TAC case. I appreciate all your help.

sure , the only odd thing so far is your redirect ACL has no hits on ISE ACE

Yeah, I was noticing that as well. It does the DNS lookup for the FQDN but never tries to connect to it. I'm assuming why there isn't any hits. Not sure if you can see that in my packet capture.

Let me try to get that for ya. Is it possible that using a test machine with an ethernet connection screw up my results? I am not physically in the office, and work remotely. Would it be better to use a client that is strictly on the wireless?