You have a tagged VLAN that clients connect over. They get an IP address in the correct pool from the UAG / USG. But the Web Authentication portal does not load.
My firewall rule LAN-to-Device is completely fine.
Please take care that you set your VLAN interface to "Internal"!
If it is set to "External" or "General", it won´t pass through the web authentication request of your clients in the VLAN.