The Instant clusters need access to the ClearPass Guest appliance in your data center on both HTTP(S) and RADIUS.
Below a workflow from the old Amigopod documentation, however the flow is still about the same:
1) User associates
2) User is redirected to the landing page on ClearPass Guest; the proxy in Instant will proxy this from the management port; or with the proper exclusions this is forwarded directly from the Guest VLAN. Required access HTTPS and optional HTTP to the CPPM server.
3) Pre-login check on ClearPass (optioninal) and the....
4) Redirect to the NAS Login page (securelogin.arubanetworks.com by default); this is handled by the Instant AP
5) Instant AP converts the username password in the redirect to a RADIUS request to CPPM; this requires RADIUS access (udp/1812) from the Instant management interface to your CPPM in the cloud/data center.
6) CPPM returns access accept with optional role (7) assignment and other optional access parameters.
8) Accounting from Instant AP management to CPPM udp/1813
In some situations, you may want to trigger a disconnect or reauthentication from the CPPM. In that case, Change-of-Authorization (CoA) comes into play; for that you need access from the CPPM TO the Instant AP management IP (default on udp port 3799). In internet connected situations this may be difficult to realize; however Instant allows the configuration of a VPN to your data center and run the CPPM traffic over that VPN in two directions.
So you don't need guest users access the Instant Cluster; they will indirectly during the initial redirect, and the authentication.
Does this answer your question? Or what do you want to achieve, or avoid?
Herman