You need a number of things:
1. Your client needs to be able to resolve DNS
2. Your guest VLAN on the controller needs an ip address
3. you need a command "ip cp-redirect-address <ip of vlan on guest network>" on the controller
4. You need a AAA profile that has an initial role that has the Captive Portal ACL.
5. The ACL in the role in step 4 needs a line that permits all traffic to the ip address of the ClearPass server
6. The intial role in step 4 should have a Captive Portal Profile configured.
7. The Captive Portal authentication profile in step 6 should have the URL of the ClearPass server login page in the "Login Page" parameter as "http://clearpass server login page URL" or "https://<clearpass server login page URL"
Here is how it should work:
1. Client gets an ip address, dns server and dhcp server. The client ends up in the "inital role" for the AAA profile that has the Captive Portal ACL.
2. Client Opens browser, resolves DNS, and attempts to open a http or https page.
3. The controller sees that the client is in a role that has the captive portal acl and looks to see what Captive Portal authentication profile is attached to that role.
4. The Controller redirects the client's browser to the http or https URL in the "login page" parameter in the Captive Portal authentication profile.
I skipped some detail, but check everything to make sure it is in place. The initial role is indeed used to put the user in a role that has the Captive Portal ACL to redirect the user's traffic to bring up the Captive Portal page. In other authentication methods, the initial role is where the user ends up, after failure, but in Captive Portal it is used to deliver the Captive Portal ACL to the user.