You can create a totally new VLAN just for guests and ensure that this is the Interface Group/VLAN that unauthenticated users get placed into when they associate with your open SSID (Guest). The WLC will send Radius requests to ISE via the managament VLAN and this will arrive at Gig0 on the ISE node (ISE listens to Radius/TACACS on all active interfaces). And then the security advice I can give you is that you host your guest portal on a different ISE interface - e.g. Gig1. This is easily done from the ISE GUI when you create the portal. This means that ISE won't listen on tcp/443&8443 on Gig0 - hence, guests won't be able to attack your ISE node kill your managment interface. Of course if you're not careful, they can still DOS ISE on Gig1. But you should be very restrictive in your Cisco WLC ACL's for portal user roles, and authenticated user roles. Portal users should only be allowed to perform DNS queries and talk tcp/8443 to ISE. Be as explicity as you can and even nail down the exact DNS servers in your ACLs!
For authenticated users you allow DNS, ISE and then block RFC1918 addresses, and finally, allow all the rest. That should ensure that Guests only get to internet. If you have a web proxy in your design, then the rule is a bit different - you don't allow all, but you simply allow all traffic to the proxy only, and then block the rest.
