create a SSID with PSK and enable MAC-Athentication.
In Advanced Configuration check that Local Database is selected. In Default Access Role Profile select the appropriate Access Role Profile in which the client should be mapped.
In Manage Guest Devices add your Company Property with the correct MAC-address.
In the VLAN-ID field add a Dummy VLAN ID (e.g. 999) which leads to nowhere.
Click Save and Apply to AP Group!
Now the client connects to the SSID with the correct PSK. Due to the Dummy VLAN the client will not receive an IP-address so far.
The MAC-Auth takes place next. If the MAC-address matches with the Company Property an IP-address will be received based on the Default Access Role Profile defined in the Authentication Strategy.
If the MAC-address does not match the access will be denied!
Please also refer to TKC article: 000048680
Hope this helps!