Okay you cant do this with mac addresses... the limit of the internal datbase is 4000!
The soluton here is using EAP TLS... guest you are using EAP PEAP....
Just install the certificates to those machiens you want... and make it not exportable... so they cannot export it...
For mass distribution, you dont want to do it machine pper machine... you can try arubaquickconnect... but then you will have to buy it but well its cheaper than clearpass... you can ask for a demo so you can see if it fill your needs.
To enhance a little the explanation if you dont know but if you know well good :)
EAP PEAP you know it check the user and password of the AD to see if it a valid client, the problem here and the problem you encountering is that the user can just put that user and pass on the other devices....
EAP TLS uses user certificates instead user and password... if they dont have the user certificate installed in their machine then they wont be able to connect... and also you can make that certificate not exportable so they cannot just export it and import it to the other divces that are not allowed.
Cheers
Carlos