There´s a thing called "User derivation rules" in the controller that you can play around with to for example put certain mac-address-OUIs into a deny all role. Look it up in the user guide, unfortunately it does require quite a bit of maintenance to add new OUIs as they pop up on the market.
Another way to go would be to user Clearpass as a profiler and mac-auth server to allow only certain types of devices.
Cheers,