Chrome (and other Chromium-based browsers) and Firefox (and other Mozilla-based browsers) attempt to detect "captive portal" login pages, and show the "you may need to log in" message rather than the certificate-mismatch alert. I haven't investigated how their captive portal detection works.
Presumably, if the user allows the redirection to the portal's landing page, but the landing page doesn't have a certificate that matches the redirection URL, then you'd get a certificate-mismatch alert.
So: User requests a site over HTTPS. Portal detects user is not signed in and redirects (by DNS or IP) to the portal server, which attempts to respond with an HTTP redirect to the landing page, with a certificate for the portal (probably with either a DNS SAN for the portal's FQDN, or an IPADR SAN for the portal's fixed IP address). Browser sees the certificate validation failure but decides - somehow - that it's probably a captive portal.1 Browser shows the "proceed to login" prompt; if the user accepts, it processes the HTTP redirect and validates that TLS conversation normally.
1I can think of some heuristics I might use here, some of which require allowing the connection and examining the untrusted response.
Biting the hand that feeds IT
