If the user is not getting the captive portal, it means the traffic is not matching the user-based policy. Configure the below settings in the firewall to get the captive portal triggered.

Configure user-based policy as shown below and keep it on top:
With source IP as the concerned user IP, destination IP as ALL, and in place of source add the user information.

After configuring this policy, the captive portal should trigger. If it is not triggering and can still access the internet, the traffic matches below IP-based policy.

To match the top user-based policy, configure the following settings:

config user setting
    set auth-on-demand always
end

Note: 

It is recommended to make this change during the after-hours, as it might affect the internet connection, which might cause downtime.

When configuring this setting, traffic will match the user-based policy that has been created at the top, and the captive portal should get triggered.

Make sure to create IP IP-based DNS policy on top of the user-based policies, as shown below, to pass DNS traffic.

Open the CLI of the DNS policy and make sure to enable captive-portal-exempt as well: 

config firewall policy 

    edit <id> 

        set captive-portal-exempt enable 

end 

In the above policy example, the incoming interface (port2) is the LAN interface, and the outgoing interface (port1) is the WAN/public-facing interface.