RKinsp, Captive Portal authentication is a L3 authentication and the Controller needs to communicate with the client over IP, e.g. to redirect the client to the external captive portal. But the IP does not need to be in the same VLAN as the client. It is recommended to have an IP in the client VLAN, because it makes everything easier. If you do not have an IP in the user VLAN, you need to make sure, that the client can reach the controller IP from the client VLAN, e.g using the main router or firewall. You also need to make sure, that you enable Allow tri-session with DNAT in the firewall settings:
Hope this helps.