First of, WPA2- personal (=WPA2-PSK) isn't realy authentication.. (even after the device has associated you have no idea who has been associated since every device connected uses the the same passphrase)
When the user connects using the correct passphrase he ends up in the "initial role" which is defined in the aaa-profile.
You have this initial role set to the logon user-role. This role does indeed have a limited lifetime after which the association process starts again. If you change this initial-role to guest (instead of logon) you get the same rights (no PEF means everything is allowed) but without the reconnect every 10 minutes.
With WPA2-PSK this initial role is the only role ever applied to a client. If a user tries to connect without having the correct passphrase he is denied access alltogether and receives no role or ip address at all.
WPA2 (WPA2-enterprise) is different from this as it requires username and password instead of a passphrase and does end up in the "802.1X Authentication Default Role" after authenticating (with a basic config not enforcing machine authentication). If authentication fails he doesn't receive any role or ip address.
All the above is possible without PEF license installed on the system.
Without PEF license any and all user-roles allow everything.
With a PEF license installed you can create new rules and configure any rule to allow or disallow whatever you like.