Hi john,
I am a begineer, but out of curiousity do you do a source nat on your guest machines IP when they call out to the captive portal? There was a lot of detail in your post and I wasn't sure if I missed that? AFAIK the guest machine needs to connect directly to clearpass guest - much like if the guest was accessing a webserver. So if you are unauthenticated and you had ping open you should be able to ping etc , but VRDs I have read only suggest DNS, DHCP, HTTP (to clearpass) HTTPS (to clearpass) of course
Good luck!
Cheers