In the enforcement policy there are 2 conditions. The first condition checks if the tips roles [MAC Caching] and [Guest] and [User Authenticated] are set. But they are not (marked red).The second condition checks if the tips roles [Guest] or [Contractor] or [Employee] are set. But they are not (marked purple).It does not match any condition, but the enforcement policy uses the default profile [Deny Access Profile] (marked green).The mac-address authentication has also not failed, although the endpoint with the mac-address does not exist yet.
Your service uses [Allow All MAC AUTH] (marked green) as Authentication Methods and authenticates against the [Endpoints Repository] (marked green). Basically anonymous mac-address authentication is performed, regardless of whether the mac-address exists or not the authentication is always successful.