The "initial role" is what you want a user to get if they do not authenticate. If there is an Open SSID, a WEP SSID or a WPA/2-PSK SSID the initial role is what they get upon association. If the initial role is like an "allowall" role like authenticated, the user will simply be able to pass traffic without doing anything. If the initial role is "logon", which is a captive portal role, the user will be presented with the captive portal upon successful association.
The default 802.1x role is what a user gets if that user passes 802.1x authentication. This of course can be overridden with radius attributes returned from the server, or server derivation rules.
If mac authentication is enabled in the AAA profile, if the user passes mac authentication in combination with something else, the default mac authentication will be come the resulting user's role.
I hope that makes sense..