True MAC authentication takes places at the beginning of the association process. If you want to authenticate the user through Captive Portal, then do an check on the MAC post authentication, you'll need something like ClearPass that is flexible enough to do this check as part of the Captive Portal logon. It really wouldn't be MAC "authentication"; but more of a MAC check/authorization against a list or known database of MACs.