First question...do you want the users to authenticate through captive portal , which it is attempting?
If yes......then confirm that the role the users are in at that time has a captive portal profile associated with it. It looks like it is in a logon role with captive portal redirects, but a profile may not be chosen for that role.
If no....then alter the firewall polices of that role to not include the captiveportal acl in it, but permit http, https, etc.