I thought this tutorial on how to implement local egress Guest wireless with Clearpass Guest might be useful to others. I have fought this problem and even worked with the TAC to solve the dilemma of how to use Clearpass to authorize guests while placing authorized users on a local internet circuit. Best I (and the TAC) could come up with was to implement an additional controller to handle guest. Since this would add cost and complexity to my projects, I continued to noodle on it in my home lab.
After some time I figured out that the best solution was to allow the default gateway for the controller be the DHCP assigned internet gateway and put routes in to send the controller's management traffic out the management interface. Once that was done, NATing of the captive portal and DNS traffic operated correctly.
This is written in the style of Aruba VRDs. It has moved out of my lab and is currently implemented by my employer at multiple sites.
Enjoy