By default the user falls into the "logon" role which has the ACLs to redirect it to captive-portal page when trying to access a web page.
If you want to allow other services before the user gets the captive portal, just create an ACL that allows those specific services and place that ACL above the captive-portal ACL under the logon role.
Default rights of "logon" role
---------------------------------------------------------------------------------------
(master) #show rights logon
access-list List
----------------
Position Name Location
-------- ---- --------
1 logon-control
2 captiveportal
3 vpnlogon
4 v6-logon-control
5 captiveportal6
---------------------------------------------------------------------------------------
Role to allow specific services before captive portal
(master) #show rights logon
access-list List
----------------
Position Name Location
-------- ---- --------
1 logon-control
2 allow-services (for e.g. smtp, itunes app store / google play store)
3 captiveportal
4 vpnlogon
5 v6-logon-control
6 captiveportal6
Hope it helps!