I got this working. You have to send a URL redirect and redirect ACL back to the switch from the intial auth. Once redirected, there has to be a separate service policy for a WebAuth (through Clearpass Guest portal). Once the WebAuth takes place, you should mark some attribute that they are a guest user and then role map based on that. On the re-auth, guest access should work.