1. Create an address object with the type 'Device (MAC Address)'. 

Go to Policy & Objects -> Addresses -> Address -> Create new -> Select OK.

2. Create an Address Group, name it mac-group, and add the MAC address object created.

   Go to Policy & Objects -> Addresses -> Address Group -> Create new -> Add 'client-1' as member -> Select OK.
                                                         

    

3. Apply the MAC Filter object under the SSID configuration from CLI; this is also configurable on the GUI.  

    

config wireless-controller vap

    edit TEST_SSID

        set address-group-policy allow

        set address-group mac-group

    next

end

Iriz-kvm46 # show wireless-controller vap

config wireless-controller vap

    edit "TEST_SSID"

        set passphrase ENC emklW5NUzpD+FPjvpqLkMXYSR4T0XZAp9hPgXSbxIbE7NNbUakqUunzbW2xyUq1IAK9+

NY9AjLMR3av3xzpGASpYSj/anaD7RyA2SYjkLpoorIzJ2HCJTxXaMaKLaH7XLuHhR24pT1QjgBZ4raaqr0vUCH/

yGGbjmxvs0KnGNB947hrdl2CwlNqspgj4LKrWoBCukVlmMjY3dkVA

        set selected-usergroups "Guest-group"

        set schedule "always"

        set captive-portal enable

        set address-group "mac-group"

        set address-group-policy allow

    next

end

Users who are members of Guest-group and match the MAC Address in the Object group will be able to connect to the captive portal. If the MAC address does not match, the user will be unable to connect to the SSID/Captive portal and will receive an authentication error. 

Note that the number of MAC address members in an address group has a limitation. Refer to this link for more details: Technical Tip: Add more MAC addresses when using Address group policy authentication.

Related document:

Adding a MAC filter