Jay,
Currently the only way to allow game consoles through is to permit their MAC address as we can not authenticate gaming consoles. We do sell a product, the NAC Profiler, that will profile MAC addresses so that if a Windows machine spoffed the MAC address it would see that it was no longer a gaming console and could change the profile removing the MAC exemption. This takes some configuration on the Profiler but that is one way to prevent spoffing while still using MAC exemptions.
You can find more information about the NAC Profiler here:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/product_data_sheet0900aecd806b7d4e.html
Profiler is the only current solution we have but we do have products on the roadmap for this, you may want to contact your Cisco Account Team for more information regarding upcoming products.
--Jesse