For guest selfregistration "NAS vendor settings" you have two options, server initiated or controller initiated.
Controller initiated seems to require more in terms of certificates and an extra redirect during the registration and logon process.
It also can possibly seem to be a bit more troublesome in a multi controller setup with HTTPS redirect and returing the traffic to the correct controller.
"The controller will send the IP to submit credentials" tick can be used, but during the login process that, by default at least, redirects to the controller IP (as it says it will..) which in turn gives a certificate warning.
On the other hand you have the server initiated which relies on CoA being used. It's more forgiving on the certificate handling part as well as multicontroller setups seems to have less of a hassle (again certificate issues) using this method it can seem (I'm new to this method).
Based on this post, Tim seem to be very clear on that controller initiated method should be used:
https://community.arubanetworks.com/t5/Security/ClearPass-Guest-Selfregistration-Server-initiated-Login-Method/td-p/493701
Anyone could give some insight in to pros and cons, what is best practice and why, when to use which option etc.
Some insight in to controller initiated method, multicontroller setups and certifcate warnings would be great as well.
I do use wildcard certs on the CP certificate settings on controllers and using captiveportal-login.domain.tld in CPPM gues "nas vendor settings".
-Helge