John,
When the client connects to the wireless, they will fall into the initial role (user-role) which is configured on the controller. The user-role on the controller will have captive portal ACL's & captive portal profile which will redirect them to the clearpass guest login page. User sends the user name and password for the captive portal to the controller which is forwarded to the clearpass for authentication. Once authenticated, the client will fall into a different user-role on the controller(post-auth) which will allow the clients to get to the internet.
Answering your questions:
For guest authentication, we need to Profiles, policies and services needs to be created on both clearpass and controller.
You can view the mac-default role by checking the aaa profile on the controller.
#show aaa profile <profile name>