due to the lack of the response here, I'm going to post my own answer here that I found by myself. hope this help someone else who needs this.
I was using a very comprehensive rule that matched most of the conditions. So I added a static EndPoint Group and placed my manually created known MAC addresses inside that group and edited the condition part of the "Basic_Authenticated_Access" authz rule to contain just that EndPoint Identity Group. this time, every time a guest user wants to access the network, he goes through the whole process as expected.