Hi,
One way to do it is as Tim said. Log into Policy Manager. Go to Administration -> Server Manager -> Server Configuration. Click on the server. Now you choose the Network tab. Here you will find a Restrict Access button under Application control where you can deny (or allow) access to different Clearpass modules from specified IP address,subnets,etc. For instance you could deny access to Policy Manager from your guest subnet.