Hmm, on second thought, maybe the RADIUS-based MAC filtering won't help here.
I'm not a wifi expert, so take this all with a grain of salt, but I suspect what might be happening is that the "Client MAC Address Filtering" is either just an additional MAC-based black/white-list, or it only bypasses PSK/EAP authentication, but perhaps it doesn't affect the state of the captive portal. After all, captive portal has it's own "bypass list" - the "Exempt sources" field.
What if you try with the SSID set to simply "Captive Portal"? If there's any chance, I would find this option more likely to be bypass-able than e.g. "WPA2+Captive Portal". But I give no guarantees, just throwing some ideas on the wall here. :)
[ corrections always welcome ]