It seems quite obvious now that I'm looking in the proper place. The initial role was set to be MAC-Computers, which is what the authenticated role was supposed to be.
I changed it to denyall as the initial role, as the purpose behind the MAC SSID was to bypass the captive portal page (for e-readers, etc). This seems to be keeping rogue machines off the network. Here's my configs just in case anyone else runs across this issue (bolded the changed line), or in case there's a problem with doing it this way.
Thanks for the quick suggestions!
(Aruba6000) # show aaa profile MAC-Computers
AAA Profile "MAC-Computers"
---------------------------
Parameter Value
--------- -----
Initial role MAC-Computers
MAC Authentication Profile MAC-Computers
MAC Authentication Default Role MAC-Computers
MAC Authentication Server Group default
802.1X Authentication Profile N/A
802.1X Authentication Default Role MAC-Computers
802.1X Authentication Server Group N/A
L2 Authentication Fail Through Disabled
RADIUS Accounting Server Group N/A
RADIUS Interim Accounting Disabled
XML API server N/A
RFC 3576 server N/A
User derivation rules N/A
Wired to Wireless Roaming Enabled
SIP authentication role N/A
Device Type Classification Enabled
Enforce DHCP Disabled
And after the change:
(Aruba6000) # show aaa profile MAC-Computers
AAA Profile "MAC-Computers"
---------------------------
Parameter Value
--------- -----
Initial role denyall
MAC Authentication Profile MAC-Computers
MAC Authentication Default Role MAC-Computers
MAC Authentication Server Group default
802.1X Authentication Profile N/A
802.1X Authentication Default Role MAC-Computers
802.1X Authentication Server Group N/A
L2 Authentication Fail Through Disabled
RADIUS Accounting Server Group N/A
RADIUS Interim Accounting Disabled
XML API server N/A
RFC 3576 server N/A
User derivation rules N/A
Wired to Wireless Roaming Enabled
SIP authentication role N/A
Device Type Classification Enabled
Enforce DHCP Disabled