Thanks for the reply. However, after much tearing of hair out, I did eventually get this to work.
Here is what I did.
On the logon user role, I applied these rules:
ip access-list session cp-guest
alias NW-Guest alias masterswitch svc-https dst-nat 8081
alias NW-Guest any svc-http dst-nat 8080
alias NW-Guest any svc-https dst-nat 8081
One the guest auth role, I applied these rules:
ip access-list session captiveportal
any alias masterswitch svc-https redirect tunnel 800
any any svc-http-proxy1 redirect tunnel 800
any any svc-http-proxy2 redirect tunnel 800
any any svc-http-proxy3 redirect tunnel 800
any any svc-http redirect tunnel 800
any any svc-https redirect tunnel 800
What appears to happen, is that the client connects to the guest ssid on the AP attached to the Local controller. The traffic is then redirected through the GRE tunnel. As the logon role is used by the GRE tunnel connection, restricting the source to the guest network prevents other users from unnecessarily accessing the captive portal. When the client opens a browser, the CP hijack kicks in and the Master controller captive portal login page appears. The user can then login normally and access the Internet as expected.
I need to carry out more tests, to confirm these changes have not messed up anything else but initial tests do look promising.
Roy