First, thank you both for your help. I know I have to be real close on this but something is still missing. I"m not sure where I'm missing it. Here is what I have done.
Under Security>Authentication>User Rules I created a user rule called MAC-FILTER. In that filter I placed two entries. One is a macaddr starts-with where I specify an OUI that belongs to several of the wireless picking devices. I also put in another entry as an equals that has the full MAC address of another chosen device. Remember I'm just testing here. When we figure this out there will be a few more.
Under Security>Authentication>Profiles>AAA Profiles I chose the AAA profile that belongs to the VAP in question. I changed the initial role to "denyall" and then changed the user derivation rules to "MAC-FILTER" and applied.
I went back to check my clients and nothing happened initially. I don't know if I needed to force it but, to force a reassociation, I rebooted a couple of the APs the clients were associated to. They immediately changed APs and the client role then showed as "denyall".
However, I can still ping the clients that are showing denyall. The default denyall role doesn't actually have a policy associated with it which I thought would mean it would hit the implicit deny. Of course in reading it only talks about a firewall policy with no rules having an implicit deny so I added a firewall policy to denyall with no rules. I reapplied and bounced again and it is still pinging. So then I tried a policy with explicit denies with the same result. So I'm missing something here in how this is working. I at least have the role getting assigned properly. That seems to be working perfectly. But the result is that the role is not accomplishing what we desire and that is a denial of access to any clients not defined in MAC-FILTER.
I would appreciate any further help.
I do have to make one further comment, though, unrelated to this thread. I am THRILLED with this system. When I went through my training I was thoroughly impressed. But when the rubber hit the road it did not disappoint. This is the first major wireless change we have made for this customer that we actually flipped from one system to another with zero problems. Distribution centers are challenging environments. Distribution centers with a mix of different RF clients, some old, some new, are even more challenging. We have had good experiences where we have only had a few minor problems and had to troubleshoot various things. Did I say this is the FIRST time we have moved them to a new system with ZERO problems. Everything just worked. My hat is off to Aruba.