When you apply the MAC auth profile and the client connects (but on the wrong VLAN), can you run the following command and note the role the user is in, the Authentication status, the VLAN Derivation and the role Derivation.
show user ip <ip of user>
Name: , IP: 192.168.13.154, MAC: 00:24:d7:1c:c2:c8, Role:authenticated, ACL:60/0, Age: 00:04:56
Authentication: No, status: not started, method: , protocol: , server:
Role Derivation: AAA profile default role
VLAN Derivation: unknown
Idle timeouts: 0, ICMP requests sent: 0, replies received: 0, Valid ARP: 0
Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
Flags: internal=0, trusted_ap=0, l3auth=0, mba=0
Flags: innerip=0, outerip=0, guest=0, download=1, nodatapath=0, wispr=0
Auth fails: 0, phy_type: g-HT, reauth: 0, BW Contract: up:0 down:0, user-how: 14
Vlan default: 13, Assigned: 0, Current: 13 vlan-how: 0
Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, ProxyArp=0, Flags=0x0
Tunnel=0, SlotPort=0x1041, Port=0x108b (tunnel 11)
Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role : n/a
Current Role name: authenticated role-how: 10
Essid: home, Bssid: 00:24:6c:bf:61:40 AP name/group: basement-125/home-aps Phy-type: g-HT
RadAcct sessionID:n/a
RadAcct Traffic In 116843/11533866 Out 174910/86422626 (1:51307/0:0:175:65066,2:43838/0:0:1318:46178)
Timers: ping_reply 0, spoof reply 0, reauth 0
Profiles AAA:home-aaa, dot1x:default-psk, mac: CP: def-role:'authenticated' sip-role:'' via-auth-profile:''
ncfg flags udr 1, mac 0, dot1x 1, RADIUS interim accounting 0
IP Born: 1375477695 (Fri Aug 2 16:08:15 2013)
Core User Born: 1375477695 (Fri Aug 2 16:08:15 2013)
Upstream AP ID: 0, Downstream AP ID: 0
DHCP assigned IP address 192.168.13.154, from DHCP server 0.0.0.0
Device Type: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/6.0; .NET4.0E; .NET4.0C; InfoPath.3; .NET CLR 3.5.30729;