In the captive portal login role, you can create and add a policy to the top of the list to DENY udp 68 packets which are DHCP reply packets. If you have a rogue DHCP server, this line will prevent IP addresses from being handed out.
The syntax would be
ip access-list session prevent-rogue-dhcp-server
user any udp 68 deny
user-role cp-role
captive-portal "cp-profile"
access-list session prevent-rogue-dhcp-server
access-list session logon-control
access-list session captiveportal