Ok, i set up a user rule with a bunch of mac addresses in it to force the user role to denyall. Testing it out on my phone it seems to work beautifully. I assume that this only kicks in when a machine authenticates, so if I needed this to kick off currently attached users I would have to wait for them to reboot the machine, which isn't a big deal.
When removing the "test" device from the list of mac addresses it seems to take some time to push out to access points, but at least it works. Thank you very much for your knowledge.
:smileyhappy: