I was investigating some rogue devices that are being reported by AMP and eventually found it.
Here's the situation:
The users that are renting some office space in our building have connected to our guest network (via captive portal) using the credentials we provided to them. From there, they are sharing the connection using a Windows XP (ICS) laptop then running a network cable to a WAN port on a router they have. There are roughly 7 desktop computers connected via a desktop switch.
This is bad and I don't want this to continue but I would like some feedback from the community to help my case and perhaps a work around. The upside of this is: the users (or single user in this case) fall in to the guest role and are on a seperate vlan from our staff network.