I'll give it a try...
1. (Authorization:[Endpoints Repository]:Unique-Device-Count GREATER_THAN 1) [Deny Access Profile]
You can't use this in your scenario - since that just counts the number of devices that is in the endpoint database connected with the same username.
Or keep it there, but use a custom "Redirect profile" to Captive Portal, instead of the [Deny access profile].
But ok - try first to remove that - and rely on a post_authentication enf.profile normally called "Guest Session Limit" if you create a MAC-auth service using the Wizard.
That should disconnect the client if he has more than x active sessions. X is the number you've either set in Guest Manager, or manually edited for your self-registration.
Let me know how that works out :)