Josh,
You can use a user-derivation rule to wildcard the phone MAC addresses instead of using the internal user database however since the AAA-Profile has to also accomodate legitimate user/machine auth, you will still get see the MAC Auth from the phone as it will hit the same policy. Perhaps I'm confused on the setup.
Best regards,
Madani