thanks for the response balaji, I'm not seeing authentication profile order on those links.  I see the multiple authentication methods but the customer doesn't want both, if certain users are in a MAB group when they connect to this single SSID, they want them to gain access, if the user isn't in the group then they want the guest authentication portal to open.  

I have provided the information on the WLC side, what AAA infrastructure do you have? ISE?

I see the multiple authentication methods but the customer doesn't want both  - this is not both, you need to do an order of operation.

Since you have only single SSID  you need to pass the flow to validate end device based on condition.

If you have ISE the order of operation as below :

the user connects to SSID, and checks in the MAB database, if yes user gets authenticated. 

if not it will move to the next action to redirect to the portal since the user's device MAC is not identified.

example to get an idea :

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

I think I'm following this now.  I'm going to test this out later this week and I'll respond back after that.  thanks for passing along these links.  

sure we will wait for the feedback

The solution for this scenario was to add "security web-auth on-macfilter-failure" under the wlan as even if the device was in the MAB group in ISE, they were still getting redirected to the web-auth page which was not the desired behavior.  Once that command was added, MAB worked successfully and if the user wasn't in the MAB group they received the webauth page from ISE which was originally working without the command above.