Or even better a "macs allowed" file (to make sure that users can't login with the mac as username).
Yes, that is already in the works. Though, not done in any file. Instead, I am using the macallowed configuration in combination with a new macallowlocal flag which means the macallowed list is allowed without any RADIUS auth. Of course, general RADIUS based mac auth is still available by turning on the macauth flag.