Issue with WLAN 802.1x AD authentication

Having USG 700H and trying to setup 802.1x authentication of wifi clients on managed APs, but something doesn't work.

• AD server is setup under User Authentication and working (user lookup is ok)
• New user of type ext-group-user is created using AD definition and it also works fine using required group membership identifier.
• SSID is setup for WPA2(3)-Enterprise set as "WPA Enterprise with = Internal Authentication server" and "Authentication server = AD configured above".

When I try to login on SSID and put known credentials it doesn't work. I checked FW and there are no rules trigger/no traffic is observed on AD interface. Logs says almost nothing:

AP log: User test (MAC: <OUI>) 802.1X auth failed on interface wlan-2-2.(Server: 10.50.200.1:1812)

Debug level: kernel [193934.502729] Can't find user (mac-users) profile in KUser_head

Not sure if debug log is related, but it is generated at the time I try to authenticate and reading message and observing no traffic to AD server it looks like the entire config doesn't work.

I'm aware that purely AD server is not enough to use .1x authentication, but my understanding is AP controller acts as internal RADIUS component interacting with external AD.

I've checked FAQ here and an example how to setup the config in subject is very similar to what I've done with some differences related to old GUI.

Not sure though if any specific configuration of AD is required.

Any ideas?