As a pen tester, getting into a network with legacy devices after having physical access to the premises is not such a huge success in itself. Actually, you should always expect this result when using mac auth, as it is not a strong security measure (if at all). But the pen tester still have to find a way to do something harmful with that access.
To prevent some harm, for all those devices that are limited to MAB you should set a restrictive ACL that only allows them to access the minimum services they need to do their work. For a phone, you would open only the SIP Server and DNS. For a printer, you enable access to from the print server. Etc. Then, maybe set up a PVLAN and enable Dynamic ARP Inspection to prevent the attacker to access other devices in the same vlan/l2 network.
Then follow the best pratices to configure your servers. Keep them patched, use proper password and strong keys or 2FA, fail2ban, and the likes.
For everything that supports dot1x, just use it.
If you want to spend some money, you can also invest into some user behaviour monitoring tool like Introspect, that would probably alert you when that spoofed "phone" would start doing unusual portscans or uploading stuff to the internet. Then you could feed that event to ClearPass and shut the port down.