Oh one thing I forgot to mention: check Aruba's Solution Exchange. There are couple configurators for 802.1X configs where you can put your own IPs etc and then get the config from there.
I ran the wizard, below is the config. I still don't know how to set 802.1X -> MAB timeout but I remember once I tested this and there was some magic involved as it worked like I wanted to. If client did 802.1x switch didn't send MAC auth request, but fallback also worked. Still not sure how it worked, with other vendors I always have to specify that it either sends both .1x and MAC at the same time or waits a fixed amount of time (I think 20s is optimal) and then sends MAC auth.
#Authentication server configuration
#Define authentication server host and pre-shared key
radius-server host 10.133.0.10 key "RadiusPassword"
#Set selected port access authentication mode
aaa authentication port-access eap-radius
#Configure selected backup authentication method
aaa authentication port-access eap-radius none
#Enable dynamic authorization message processing
radius-server host 10.133.0.10 dyn-authorization
#Set selected dynamic authorization time window and mode
radius-server host 10.133.0.10 time-window 0
#802.1X authentication configuration
#Configure specified ports for 802.1X authentication
aaa port-access authenticator 1-12
#Set 802.1X authenticator ports to client-based mode and configure client limit
aaa port-access authenticator 1-12 client-limit 8
#MAC-based authentication configuration
#Configure specified ports for MAC-based authentication
aaa port-access mac-based 1-12
#Configure MAC address limit for authenticator ports
aaa port-access mac-based 1-12 addr-limit 8
#Configure redirect server for self-registration of unauthenticated MAC addresses
aaa port-access mac-based unauth-redirect ""
#Activate 802.1X authenticator on configured ports
aaa port-access authenticator active
I believe you need to have authenticator client-limit set up if you want to use both 802.1X and MAC auth on the same port. Or it will complain about something. Dyn-authorization means that RADIUS server can send back CoA.