Corporate requirements are the device is domain computer and the user is domain user (LDAP)
Consultants - user is domain user (LDAP) and MAC address white listed in NAC
Guest - Local users in NAC only
BYOD - user is domain user (LDAP) and any device
Corporate,Consultants and BYOD is working very well. the rule hits, LDAP is working fine, authentication is passed and dynamically assigned to right VLAN based on groups.
but we have issue with Guest Group. in screenshot below, user hit the right rule (Guest1_Wireless)
below screenshot is the Authentication results, user also passed the authentication
but the user is still rejected due to "the authentication is rejected by radius server" (proxy). as you can see the screenshot above, the authentication is already passed with "Authentication request locally" so no need to forward the authentication request to radius server, but NAC still forward it to radius server which will naturally reject the request.
why NAC still forward the authentication request to Radius server? it's already hit the first Authentication rule which is "Authenticate request locally".
The configuration evaluation screenshots you have pasted were done on the end system when it was in a MAC authenticated state. The "Authentication" type is set to "MAC" authentication in the first two screenshots. MAC authentication by default is set to be processed locally, and there are no requirements for MAC authentication so it has been accepted, as expected.
The reject message authentication type is 802.1x. As Scott said above AAA configuration will determine what method is used to authenticate the user, so since you have a line in the 802.1x authentication line in the AAA configuration when the user is attempting to authentication via 802.1x it will be sent to the back end radius server.
Do guests have a username/password that would be accepted by NPS? One of the issues with with guest access on an 802.1x network is that they don't have working credentials, and will be presented with a prompt to put in credentials, which will always be rejected because they don't have any.
You may be able to utilize "secure guest access" portal feature, where you have an open SSID were a user registers and EAC will dynamically create and send them credentials to use on the 802.1x SSID.
The Rules Engine should not pertain to the proxy RADIUS logic, but rather, the AAA Config. The Config EVAL Tool is something you'd want to rule out here for now, and use the NAC debug to troubleshoot instead.
NAC will proxy RADIUS traffic if your AAA Config is such that it is setup for Proxy RADIUS and also if a Local Authentication line higher in the AAA Config did not match. We'd need to see the NAC database and NAC debug to determine this in most cases. You can use this article to assist and you may also want to open a case with GTAC.