I have CCR with CRS configured with VLANs

I would like to prevent people being able to turn up and plug their machine into a port on the switch and have have internet/Lan acces.
I can see plenty of information on setting up wifi mac filtering but what would be the best approach on wired connections?

You could use bridge filters to block unknown unicast MAC addresses, but it soon gets unwieldy for many addresses and will use CPU resources checking every packet against multiple rules. Alternatively you could only assign DHCP addresses for known MAC addresses instead of having a general pool.

Both of these approaches are readily bypassed by cloning the MAC address of a device on the network, a secure method would be to use 802.1x authenticating against individual credentials or using certificates - this is the wired equivalent to using WPA2-Enterprise (not WPA2-PSK) on wireless networks.