@kdisc98, ACLs are processed in order right? so even if the DNS server and captive portal are within the internal net (which they are) that should matter right?
In order for the user to see captive portal - the controller must be able to resolve the client request.(and it's better first to do the logon-control and then after the captive-portal (the logon-control got all the needed basic services like DNS/DHCP/NAT...)
shamefully the system was rebooted and the issue went away, configwise nothing changed. still a bit in doubt what the cause could have been, but will use these tips for the next time.
Ok... :( :( i dont like not now to know what causing issues :)
Are u sure that the client u tested with didnt got other ACL while u tried to log in? it sound like your user-db had a record of your device....