Okay. Here is how it should go:
In the AAA profile, if there is a mac authentication profile and a mac authentication server group, the device will attempt mac authentication (If either one is missing, mac authentication will not be performed). For the device to pass mac authentication, the mac address must be in the local database in the proper format.
If the device passes mac authentication, he will be assigned the mac authentication default role, OR he will be assigned the role that has mac address is assigned to, if the "value-of" rule is in the mac authentication server group.
If the device does NOT pass mac authentication, it will remain in the "Initial Role" of the AAA profile. If the initial role has the Captive Portal ACL, then whatever Captive Portal Authentication Profile is assigned to the Initial Role will be used. The Captive Portal Authentication profile has a server group assigned, and that will determine what username and password database (server group) the user's username and password will be checked against. If the user logs in successfully, he will be assigned the role in the internal database because of that "value-of" rule you have in the server group.