Hi satx71,
Here's another option. It sounds like the corporate network might be an 802.1X network. Here's what I helped a customer design, and it's been successful:
1. Client connects to an 802.1X network.
2. They are given an Enforcement profile that sets an attribute for that device
3. This attribute could be defined as, "Secure-Access-Only"
4. The guest network will then have an additional requirement stating that endpoints with "Secure-Access-Only" will not be allowed on
5. A user device will then be sent a RADIUS Deny Access if they try to connect to the Guest network.
Tim (cappalli) wrote a great post outlining how he did this at Brandeis University. It showed the flexibility of using the attributes to achieve this functionality.
Hope this helps!
-Mike