Greetings!
I assume you have the mac-address entered into a field in the AD account. This field you have to extract during authentication, and use for authorization.
It's a tad tricky, but definately doable if you have some insight to your AD and SQL. Should be roughly something like this:
Navigate to Authentication Source, create a copy of your AD auth source. This new one is the one you will use in your service so as not to ruin anything in production. (or create a copy you can revert to if you mess up the production one ;)
Edit the new Auth Source. Click on the Authentication Filter. If you already know the name of the mac-add field, enter it similar to the other fields in here under "Configuration" (Alias and the field-name as string). If you're not sure of the name of the field, click the tab Attributes and you should be able to find this here.
->> Click Save after completion.
Ok - now you have a few ways to do this, but the most direct way is to edit your enforcement policy. In the rule that matches your user/machine authentication add in a line like this:
Type=Authorization:AD-SOURCE
Name=MAC-ALIAS (as you entered in the auth-source)
Operator=EQUALS
Value=%{Radius:IETF:Calling-Station-Id}
Now - you need to make sure they are input exactly the same. If you store the mac-address in AD differently than what your NAS sends, then you want to use a different value to check against. If you NAS sends UPPERCASE with hyphen - then you do this:
Value=%{Connection:Client-Mac-Address-Upper-Hyphen}
Check a 1x authentication record in your Access Tracker under Computed Attributes to find the different variations to use. One of this SHOULD match what you input in the AD-field ;)
Good luck and shout out if you need any further assistance!