Hi cjoseph. We are using names (domains/url). However after facing this issue I configured an ACL in the preauth policy allowing every IP involved and the problem continues.
I will try "show firewall dns-names" and let you know th results.
Now that you mention the walled garden behaviur, I would like to understand it. When a user try to reach, let say www.google.com, and the page exist in the walled garden (e.g. *.google.com), the controller allow traffic for the IP address resolved by the DNS server that use the user or the DNS server that has the controller? Although we are using the same DNS server, the IP resolve could be different. This Captive Portal is in AWS and they return diffrent IP for the same FQDN. Thanks and regards.