There are several different ways to accomplish this.
If you 'trust' any user that has a AD account than simply use that to get them onto the Employee SSID with .1x. They'll get any device onto the network with their ID. You could then use device fingerprinting to put BYOD oses into roles that limit access, assign differnt VLAN's etc.
If you only want certain employees to be able to get their BYOD onto the network than it gets a bit more tricky.
One way would be to stand up an SSID to to .1x with EAP-TLS as the authentication mechanism instead of EAP-PEAP. Assuming you have a local Certificate Authority, you can put a certificate on trusted devices and connect them to that SSID. You would then use device fingerprinting on the Employee SSID to push any BYOD OSes into a role that either assings them a Internet Only ACL or a Dead End ACL. Either ACL will prohibit Employees from getting onto corporate network resources with their BYOD and trigger a help desk call to get a certificate issued and get them on the EAP-TLS SSID.
There are many options....if the trusted devices all have accounts in Active Directory you could also 'force machine authentication' and assign roles based on that series of disposition checks as well. THere is a great section in the UG about Machine Authentication. Hope this helps.