I think what you're asking about is called Network Access Restrictions (NAR). It enables you to define authorization and authentication conditions that must be met before a user can access the network.
In your case this means that someone's MAC-address should be listed in the ACS-server, else it won't get internet access.
I couldn't find a configuration guide for version 4.0, so here's one for 4.1! That should also contain enough information about configuring NAR:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/cfg41.html
Please rate if the post is usefull!
Regards,
Michael