1. Create an address object with the type 'Device (MAC Address)'. 

Go to Policy & Objects -> Addresses -> Address -> Create new -> Select OK.

2. Create Address Group, name it mac-group, and add the MAC address object created.

   Go to Policy & Objects -> Addresses -> Address Group -> Create new -> Add 'client-1' as member -> Select OK.
                                                         

    

    

    

3. Apply the MAC Filter object under the SSID configuration from CLI, this is also configurable on the GUI.  

    

    

config wireless-controller vap

    edit TEST_SSID

        set address-group-policy allow

        set address-group mac-group

    next

end

Iriz-kvm46 # show wireless-controller vap

config wireless-controller vap

    edit "TEST_SSID"

        set passphrase ENC emklW5NUzpD+FPjvpqLkMXYSR4T0XZAp9hPgXSbxIbE7NNbUakqUunzbW2xyUq1IAK9+NY9AjLMR3av3xzpGASpYSj/anaD7RyA2SYjkLpoorIzJ2HCJTxXaMaKLaH7XLuHhR24pT1QjgBZ4raaqr0vUCH/yGGbjmxvs0KnGNB947hrdl2CwlNqspgj4LKrWoBCukVlmMjY3dkVA

        set selected-usergroups "Guest-group"

        set schedule "always"

        set captive-portal enable

        set address-group "mac-group"

        set address-group-policy allow

    next

end

Users which are member of Guest-group and matches the MAC Address in the Object group will be able to connect to captive portal. If the MAC address does not match, the user will not be able to connect to the SSID/Captive portal and will get authentication error. 

Related document:

Adding a MAC filter