Hi Ned,
Getting the MAC address from a client depends on Javascript retrieving the address and inserting it into an HTTP header in requests. A client could easily modify this value to anything they want using simple browser addons. So from a security perspective this would be a bad idea to use for access control.
You could potentially use an iRule or for more functionality, APM, to perform the authentication against a remote auth database. If there are three applications which require auth, you could use an iRule or APM to reduce this to one login.
Aaron