Using PSK, you cannot completely block users from being on the network on mac authentication failure. You CAN send them to a captive portal page, upon failure however:
In the AAA profile, make sure that the initial role is "logon". This is the role a user gets if they have not passed mac authentication. In the AAA profile, also configure the default mac authentication role, which is what a user gets if they pass authentication.
This is how it should work:
If a user associates and their mac address is not in the database, they should stay in the "logon" role, which typically produces a captive portal when they attempt to browse. If the user associates and their mac address IS in the database, they will get the mac authentication default role in the AAA profile and they will be able to do whatever that allows.
Only 802.1x authentication allows you to completely block users if they do not successfully mac authenticate. Using PSK, you can only force them to be in a role with less IP privileges.