Maintaining mac addresses (moves adds and changes) can be a nightmare, so we do not advocate doing that ever. If you want to do mac authentication on top of PSK, you need to create three different mac authentication profiles:
One with "dash" delimiter, one with "colon" delimiter and one with "none" as the delimiter.
Assign the mac authentication profile with "dash" to the first building, the one with "colon" to the second building and the one with "none" to the third building". Enter mac addresses into the internal database that only need to connect to the first building with dashes, mac addresses that need to connect to the second building with colons, mac addresses that need to connect to the third building, with no delimiters.
If a user connects on building one, it will check the user's mac address with the format xx-xx-xx-xx-xx-xx, building two xx:xx:xx:xx:xx:xx and the third building xxxxxxxxxxxx.
The second method involves having a radius server like Clear Pass Policy Manager which can use the "Aruba-AP-Group" radius attribute that can be used along with the user's group membership to determine who is allowed to get on. Microsoft IAS and NPS are not extensible enough to see or act on that attribute.