Sorry to resurect an old thread, but it's still one of the top results when searching for using the guest user role ID in the authorization policy.
For some reason using this query adds significant latency (150 ms) to the authentication process. This hasn't mattered much in the past, but Apple seems to have changed something in how Mac OS 10.12 and 10.13 processes the 802.11 association request/response. In short, if there is more than 300 ms latency in this process the device will fail to associate.
We were able to make the guest user role ID usable in the role mapping and enforcement policies by moving up the [Guest Device Repository] to the top of the list of authentication sources. This step is important, because once ClearPass finds an authentication source (as of 6.6.7), it will stop looking at any of the other defined sources.
Then in the role mapping policy, use the GuestUser type with the RoleID attribute to map the role ID to a specific user role.
Hopefully someone else finds this useful.
Thanks