Create a User-Derivation rule that references those MAC addresses and puts the user in the denyall role. This will stop them from receiving an IP address thus stopping them from entering the user table. Then in your AAA profiles for the guest and secure networks, select the UDR.