PSK with mac auth ??
It depends on what do you prefer to do. If you prefer the dummy-VLAN, then just re-provision the ARP to be linked with a dummy-VLAN (do not create a VLAN in the access switch, and traffic will be discarded at the access switch). This process can be done in "Unified Access -> Unified Profile -> Template -> Access Role Profile". Select the ARP associated with the SSID and select "Apply to Devices". Then link the ARP with a Dummy-VLAN.
If you prefer some QoS rules, then select the ARP in the same place, and EDIT it. Go to "QoS Rules" and define the needed rules. Apply the ARP to devices again, in this case with a good VLAN.
Then, for the VALID ARP (returned once the UPAM MAC-Auth is OK), in the same place, define a NEW ARP, and "Apply to Devices" with the VALID VLAN.
Then go to the UPAM -> Authentication Strategy, and select the one linked with your need.
In "Network Enforcement Policy" -> Default Access Role Profile, select the VALID ARP. It will be applied if MAC-Auth is ok.
You can do it per STA, if you want. In the definition of each MAC (STA) you can configure an ARP linked with the STA, so you can be very granular.
Role Priority is from Top priority to lowest priority:
User ARP -> Authentication Strategy ARP -> SSID default ARP
Well, without 802.1x (802.11i) or so called WPA2/3-Enterprise, there is no way to move users out of the network. Remember that in MAC-Auth, it is the AP who starts the RADIUS process, as the STA (device) has no 802.1x supplicant or did not start the EAP process. So the STA is associated (PSK)...
I would recommend to define an ARP (Access Role Profile) with a dummy-VLAN or a set of QoS rules blocking all traffic, for the associated STA, and another ARP returned by UPAM with the appropiate VLAN/QoS rules for properly authenticated STA.
That way, if MAC-auth fails, the user is trapped. If the MAC-auth is OK, returns a new role, and the user can use the network.
PSK + MAC-Auth can be configured in the SSID (see attached picture).
It allows selecting the RADIUS, UPAMRadiusServer by default. The wizard with populate the Access-Policy and Auth-Strategy in UPAM.
By default the UPAM Local Database is used, you will have to manually populate the MAC-addresses.
What is the use case? If it is Guest management, you can chose directly from Cirrus to generate a PSK + Captive Portal that will do MAC-Auth as well.