@Herman Robers Think you are mistaken there.
@nbhave
This has always been expected behaviour on the controller for OPEN or PSK SSID's.
On MAC-auth success you get the MAC-auth default role (or whatever role from the internal database if you server rules).
The MAC-auth faillure (reject) you get the initial role (which can be a 'deny all' or guest-logon if you need).
L2 Fail-through was (is) when you combine 802.1X and MAC-auth on a single SSID. Typically you stay far, FAR away from L2 fail-through (or better yet, use Clearpass).
L2 fail-through result table: