You are correct that mac locking is not in the feature set.
If the systems that you have on your network can support it I think RADIUS would be your best option for this scenario. Check volume 9 of the concepts & examples guide.
I use this for wireless security by computer via internal certificate authority. We distribute the certificates and authority to domain computers and check them on request for wireless access. But RADIUS can also be applied to physical ports too. You do need to deploy a central RADIUS server to handle the authentication challenges. Windows has this as an add-in role option and I've been using that as an additional role on an existing server.
The SSG can also be a infranet enforcer for the UAC product line too. But that involved deploying the UAC controller and developing a rule set from there. This is helpful if you have lots of locations or rules to manage. But under the hood this is also just using RADIUS and EAP as the means for the control.