The captive portal is bound to the role that is assigned to the user (as you found out that the logon role was assigned in your case).
In order to get your external captive portal selected, you need to create a role for that (I would try to avoid changing default/built-in roles or configuration), and make sure that is assigned.
The role is assigned in the aaa profile, which in turn is selected in the virtual-AP profile (WLAN) or the VLAN (wired). For wired, the port must be untrusted, as for a trusted port all authentication is disabled.
With the show user-table mac <mac> or show user-table ip <ip> or show user-table verbose, you can find what profiles are assigned and from there, if it is incorrect move backward in your configuration to find out why these are assigned. From there, you probably can see the error and correct it.
One more thing with captive portal, but that seems already correct as you see a redirect (but the wrong redirect), is that you need to have either an IP address assigned to the VLAN where the clients come in or you need to have tri-state-nat enabled in order for the controller to perform the actual redirection. This only applies if you don't see the redirect happen.