I think I understand.
Create a new server group and then put the internal database in it. Make that new server group your mac authentication server group in the AAA profile.
What is happening to you is that the default and internal server groups have this rule:
role value-of String set role
Which means, when users authenticate to that server group, return the role of the user in the internal database, which at the highest level will default to guest when you add users in the local database. If you authenticate to your new server group, there will be no rule requiring that the role of the user be returned, which means the users who mac authenticate should then take the default mac authentication role.
I hope that makes sense and works for you.