When you try to login does the system tell you you've been denied network access because you have entered invalid credentials?
The configuration looks good from what I can see, you have a user defined in the local password repository and you have the registration (auth and admin) defined in the AAA. You are positive that is the AAA configuration being used on in the configuration correct?
By default the captive portal "Authenticated" portal methods will move the end system into the "Web Authenticated users" end system group, you can change the group that is assigned after authenticated by using the LDAP/RADIUS group mappings, but these mappings will not have any affect on the authentication itself, just the authorization.
Also, one thing to note is that you're using the "Authenticated Web Access" portal type. This type of portal allows for a SINGLE session for the user, meaning that after authentication the NAC provides a short window of time in which the re-authentication is to take place and allow the user to gain elevated access. If the end system does not attempt re-authentication within 15-20 seconds it may have missed it's window of opportunity in this type of portal. Each time the session is ended, for any reason, the user must login again. Typically we see better user experience with the "Web Authentication Registration" type, as this allows for a registration for a specific duration that is configured, so even if the end system goes idle when it becomes active again it won't need to re-register through the captive portal .
As I previously stated, group assignment will not affect authentication of the device, but only the rule they'll have after they pass registration. If you're seeing the "Registration has been denied due to invalid credentials" I would recommend enabling Captive portal authentication debug to try and determine why the users credentials are failing. (Right click the NAC --> WebView --> Diagnostics --> Appliance/Server Diagnostics --> Captive portal Authentication) Make sure to turn this off after you are done, it will fill up disk space.
If you're having a problem with the rule hit AFTER authentication of the user credentials are completed check for reauthentication failures in the "Nac Appliance Events" tab on the bottom. Also, check for the username to show up in the end system events, that's the only way you can tell if the process was successful in an authenticated web access deployment without debug as the end system MAC address will not be visible in any end system groups due to it's temporary nature.
Here is a picture of it working on my lab system:
The events are ordered newest to oldest so you have to read it backwards.
5th line ---> user initially authenticated to the network
4th line ---> IP address resolution completed
3rd line ---> I authenticated through the "Authenticated Web Access" portal with user "test", reauthentication was completed which is why this new authentication is being displayed
2nd line ---> This is a NEW authentication that occurred after I forced reauthenticated the device to show the temporary nature of the registrations using this captive portal type.
1st line ---> IP address resolution completed.
Let me know if this helps.