If you see the Success message in the browser, that means that either:
- captive.apple.com is allowed through the captive portal, likely through a whitelist
or
- some form of CNA bypass is enabled and spoofing the Success message to your device.
or
- there is another path from your client to captive.apple.com that is more preferred and doesn't have the redirect.
For some reason, the request is not redirected and that results in the pop up not being shown.
What you could do is to find the role that the user is in during this situation (show users on CLI, of client view in WebUI), then carefully check what is in the role (CLI: 'show rights mylogonrole' if the client is in a role named mylogonrole). In the controller CLI you could also do a 'show datapath session' to see if and how the client hits the datapath. If you don't feel comfortable to do this analysis, it may be good to involve your Aruba partner or Aruba support.