Hi Bill,
Thanks much for your post. Please make sure Clearpass servers are allowed in the initial role on the controller say for example, if the initial role is logon role to get the CP page; make sure you allow the clearpass servers. something like below.
user alias clearpass any svc-http permit
user alias clearpass any svc-https permit
Also make sure post auth role doesnt contain the dst-nat acls as that would re-direct loop back to captive portal page. Check for access tracker on the clearpass if there is any role returned to controller.
Thank you,
Sriram