You typically would use tri-session with DNAT if you have more than one VLAN that you want to do captive portal with. If you have a single VLAN, an ip address on that controller's VLAN, along with the ip cp-redirect-address command pointing to that ip address is sufficient.