You probably need to figure out what is the shorter list:
- The devices that you want to allow on to your network,
- The devices that you want to keep off of the network
If the devices that you want to allow is fairly short, you can add their mac addresses to the internal database and only those devices will be let on.
If the devices you want to keep off is fairly short (I'm sure it is not), you can add them to the list of blacklisted devices, so that they can never get on.
If you are already at 128, you need a more scalable solution like ClearPass to manage those devices and possibly Onboard within ClearPass to only allow certain BYOD devices onto your network.
For now, if you configure one of your Windows Servers as a radius server and authenticate using username and password, that will at least only allow authorized people who have valid credentials onto your wireless network. You can optionally put individuals who are authorized into a Windows group and allow them to get onto the network, but that will get as tiresome as managing mac addresses. Ultimately, I suspect you will just let everyone on who has domain credentials, because anything else is too mangement-intensive.