Keep in mind as well that Clearpass offers a unique authentication source called "Allow All MACAUTH" WIth this, we can leverage other context outside of maintaining a MAC address database for these users.
Essentially, Clearpass will allow any MAC address as valid for mac auth purposes. Then, with policy, you can assign roles or deny access based on other variables such as:
MAC OUI (Connection:Client-MAC-Address BEGINS WITH <value>)
MAC Vendor (Connection:Client-MAC-Vendor CONTAINS <value>)
Profile Info (Authorization:[Endpoints Repository]:Category OR OS Family CONTAINS <value>)
Hostname (Authorization:[Endpoints Repository]:Hostname CONTAINS <value>)
Or even a Custom Attribute YOU add to the Endpoint DB record for the device
All in all, you can write a very secure/granular policy without having to maintain specific MAC addresses