The role structure needs to allow the following resources and configured in the following way to allow redirection from a PBR to NAC for captive portal:
The Unregistered role:
Allow All NAC Appliances
Allow HTTP port 80,8080 with DSCP marking
Allow HTTPS port 443 with DSCP marking
You will need to allow all NAC appliances in order to complete the registration process.
You will also need to allow HTTP and HTTPS with a DSCP TOS marking is configured on the routed interfaces PBR configuration for redirection.
Example of Port 80 rule in the EWC:
Example of "NAC Redirect" Policy configured in EWC Class of Service:
This configuration will put a DSCP marking of 0X40 on the HTTP and HTTPS packets that PBR will redirect to the NAC appliance.