I'd suggest taking a look at 802.1X which will allow only authorized devices on the network by controlling the port state on the switch. The biggest problem is likely to be the practicalities of managing 5000 MAC addresses across one or more RADIUS servers, so to get round this you'll also need to look at what options are available for setting up a supplicant on the client devices.
Use ACS 5.x or ISE with 802.1x.
Even if you want to use just mac address based access control, you'll want a centralized management system to support 5000 users.
See attached PDF (from Cisco Live 2011) for more clues.
As has been mentioned, you want Dot1x tied to ACS. You can pair this with AD and machine certificates to authenticate them, because MAC addresses are a weak authentication form. With certificates you can dynamically expire them via a domain-level CRL.
We're doing a form of this and it's working beautifully. One thing to note is that you may want to look into NAC/MAB for non-certificate capable devices so that they still get authenticated via MAB policy.