We are a school with two SSIDs, a production 802.1X and an open captive portal SSID for guests. It's a boarding school, so we are doing BYOD with ClearPass. We used to have a WPA key on the guest network, and then sponsorship, but that was "too hard" for visitors to get online, so now it's a self registration page. I struggle with kids getting on there, and while it's not a big deal as it's filtered, and shut off the same time their production network is, it's just VERY annoying and they take up DHCP reservations, etc. We give all students iPads, so we know the MACs on all of them, so I was trying to set up a rule in the service to prevent them from even associating to the guest SSID, but was unsucessful. I know this won't help with their other personal devices (yet), but it would be a good start. I tried using a static host list, and also creating a new attribute for the endpoint, but wasn't able to get it working. I was hoping someone here has done the same thing and can point me in the right direction.
TIA!