Hello,
In some cases, the SEP firewall can prevent the captive portal to work properly due to the browser hijacking happening when users first try to access any URL.
In such cases, the client should have the firewall disabled, and enable it as soon as the internet connection is active.
A possible way to do so, is to use Location Awareness, and add a ping based rule. When the client can ping any public address, then is connected to the internet, otherwise is not.
Example: I am working for symantec, in that case it is a good idea to ping my company website i.e; www.symantec.com.
Hope that helps!!