As the screenshot indicates, you have two options:
1) Allow, then put in the subnets/IPs from which you want to allow access to the admin UI. Put in your admin IP addresses in here. Access from all other IP addresses will be denied in that case, including your guest range.
2) Deny, then put in the subnets/IPs for which you want to explicitly deny access. Everything else will be allowed.
Whenever possible, I would use the Allow option and only allow access from authorized IP ranges. The guest range will be automatically denied, and other ranges that you might not be aware of to have IP access.
Please also check the other services, like Insight, and lock those down as well during the hardening process.
When asking questions like these, it may be useful to get and read the ClearPass hardening guide from the ClearPass Technote section on the support website.