Basically this, but crucially DNS must be working for you to get the captive portal.
- client opens browser and does a dns lookup for whatever site.
- response received from dns.
- Then client opens http to site.
- controller hijacks the http and sends a http-redierect back to client which says "site has moved to securelogin.arubanetworks.com".
- client does a dns lookup for securelogin.arubanetworks.com
- controller spoofs the response and gives it's own address.
- client opens http to controller and captive portal is presented.
It's neat to see it in action if you can get a wireshark capture of the whole process.