@Prestidigitation wrote:
The mac-auth-only role is primarily used for wired clients."
i believe that line is the important one. with wired you sometimes have the posibility to do auth on mac if dot1x doesnt work for some reason.
with wireless this is not possible, you need succesful dot1x to get access. there is no middle ground here.