Run this command to see if any traffic could be getting denied :
Show datapath session table <IP address>
Also make sure that the second role/default guest role <guest-role> that the user will be placed after it passes the captive portal auth is allowing dns, https/http