If a role does not exist on a controller (or responding section in the MM device tree), for 802.1X authentication the 802.1X default role is applied, similar for MAC auth, and if no authentication happens (or auth fails and authentication fail-through is enabled) the initial role is applied. Each of these can be configured in the AAA profile:
Recommended is to return a role (or derive, as you do) during the authentication.