overall to say :
changing from a public available DNS server from telekom/t-online 194.25.129.2 to google DNS 8.8.8.8 inside the VLAN 100 tagged network solved the issue.
not sure what caused this and why this combination not working.
i assigned afterwards to the Gast-100 a CP and that works smooth too, redirect works.
in my case i have set the access-rule to "unrestricted" .
one last question:
in the access rules there's network-based or role-based. if changing to role-based there's an option for "pre-auth" role . as the unrestricted access rule points to the CP too, i wonder if i have to change to pre-auth role when changing to role-based access rule e.g. if someone would like to restrict the guest-access directly on the IAP already.
from a controller-perspective : sure the usual pre-logon role is assigned before auth, and then guest-role after auth. is it the same doing on the IAP ?
EDIT : seems without pre-auth role in the role-based a redirect to CP also works. so i expect that if not assigning a pre-auth role it's just already the default gast-100 role with access to any destinations just dst-nat'ed to the controller until authenticated. but when there's a need to pre-auth too with lesser ACL's like dns/dhcp/ping only (like on campus controllers) then additonal pre-auth is just put on top of the guest SSID.
so far so good, im happy that it's working now.
thanks
ben