A user will ALWAYS get the initial role of the AAA profile that he is attached to. If you make this a "deny all" profile that has no acls, users that do NOT pass mac authentication will end up in this role. Users that do pass, will be assigned the mac authentication user role, OR the role assigned to their mac address in the local user database.
It will be quite painful to expose all of the options available to you on the forum here, so I suggest you open a TAC case if you want quick, concise support.