Before performing any authentication I first, setup Passive and Active Profiling on CPPM. This populates the EndPoint Database with all the devices on your network.
Then you can set those EndPoints you want to allow access using MACAUTH to "Known" devices then only allow Known devices onto the network.
The devices are also profiled so you can use any of the profile and fingerprint information to further control access . i.e. If the device is a printer put it in the "Printer" VLAN.
Regards,
Nigel