There is a difference between the first bug and mine, as mab is successful:

#show auth se int g1/0/1 details
Interface: GigabitEthernet1/0/1
IIF-ID: 0x16EB4DF8
MAC Address: 3800.1850.287d
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: 38001850287d
Status: Unauthorized
Domain: DATA
Oper host mode: single-host
Oper control dir: in
Session timeout: N/A
Common Session ID: 1E0E800A0000042BB1C214B6
Acct Session ID: 0x00000002
Handle: 0xa4000032
Current Policy: POLICY_Gi1/0/1

Server Policies:

Method status list:
Method State
mab Authc Success

---

About 3790370, I'm not sure where the screenshot comes from... Is it from the switch GUI?

The switch version is 17.6.4

The ISE logs (freeradius) also says that the authentication is successful.

For me, the issue is situated after the end of the mab authentication when received radius attributes are parsed and an error code invalidate authentication:

#show authentication sessions
Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Gi1/0/1 3800.1850.287d mab DATA Unauth 1E0E800A0000042BB1C214B6

Session count = 1

So you are using freeradius, what is the end device?

as per the Switch concern, it still shows unauth - that means between radius and switch have an issue.

is this for all clients or only single device, enable debug on radius and switch will give more information?

you have not provided the config :

show run interface gig1/0/1

I tried a standard laptop and a Cisco Phone (not detected as voice equipment).

show derived-config interface Gi1/0/1
Building configuration...

Derived configuration : 506 bytes
!
interface GigabitEthernet1/0/1
switchport mode access
switchport nonegotiate
authentication periodic
access-session host-mode single-host
access-session control-direction in
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 1
dot1x max-reauth-req 1
storm-control broadcast level pps 5k 2.5k
storm-control multicast level pps 25k 12.5k
storm-control unicast level pps 170k
spanning-tree portfast
service-policy type control subscriber POLICY_Gi1/0/1
end

And I simplified to the extreme the policy...

As I said in another reply, it is 100% sure that without the wireless attribute, vlan assignment is done with no error. 

ok if you connect Laptop or Phone - this did not work? ok got it...

as I have asked is this the only issue with this port? none working?

Trying to understand the issue more broadly here - are you trying only MAB authentication any device connected and assign VLAN and IP address (authentication success) here is the flows :

I saw your other post you able to fix the issue, is this fixed or you still looking assistance ?

This is not IP conflict issue. I agree that sending ssids attributes from freeradius server is not very useful (for the switch), but it should not interpret them. I suppose that the switch runs code shared between multiple Cisco models, some of them with integrated wireless controllers. So there is a failure when the attribute is received on one with no wireless...

let keep SSID away for min.
what is Authz ISE return to SW 
is it dacl 
or it VLAN ID ?

It is relatively simple... When I manually suppress Cisco-AVPair val=ssid=TOTO from the radius reply, everything works perfectly.

Radius returns Tunnel-Private-Group-ID with the vlan name.

That is what I'm looking for. But strangely this command is not available on my switch: 

9.    Router(config)# radius-server host {hostname | ip-address} [key string

So I need to configure radius servers by: 

radius server rad1
address ipv4 10.127.0.44 auth-port 1645 acct-port 1646
key mypwd1

and I'm not sure that the following "Router(config)# radius-server attribute list listname" is applied to anything .

I think it work in your case.
but this workaround 
you must know why the ISE return SSID in first place. 

Unfortunately it does not. From the switch configuration I can see an orphaned piece of configuration:

aaa group server radius my-radius-group
server name rad1
server name rad2
authorization reply reject CON-WIRED

aaa authentication dot1x default group my-radius-group
aaa authorization exec default local
aaa authorization network default group my-radius-group

radius-server attribute list CON-WIRED
attribute 26

radius server rad1
address ipv4 10.10.0.44 auth-port 1645 acct-port 1646
key myrad1
!
radius server rad2
address ipv4 10.10.0.45 auth-port 1645 acct-port 1646
key myrad2

I know why ISE returns SSIDs: as it is used for authentication of both wireless and wired clients and as until now, Cisco switches were not failing on ssid attribute replies, I did not have to create a personalized reply depending on Wireless-802.11 and Ethernet NAS-Port-Types.

I run lab the first attempt to login to R1 show hello Bob, 
the second after I apply authz list and reject attr. 18 the hello message is remove. 

authorization reply reject CON-WIRED <<- you use reply which make SW check the access-reply, please remove the reply and check again.