It sounds like what you need is a mac auth. Are the users putting their details (mac and password) into the captive portal login?
If you don't have a captive portal profile assigned to that vap, then just use mac auth and then will just be allowed on. Set the default role for the mac auth to be that of internet access, but make the initial role to be the captive portal.
If a user connects with a mac not in the internal db, then they'll get the captive portal. Your staff, with valid macs, will get the internet only role.
Is that what you're trying to achieve?