When removing the following from the generated guest-mac-policy:
AND(Authorization:[Guest User Repository]:AccountExpired EQUALS false)
AND(Authorization:[Guest User Repository]:AccountEnabled EQUALS true)
Then everything works as expected. Users who never have authenticated get captive portal, users with the mac-expiry-auth value set gets mac authentication.