I guess background first. Just setup 5 MR52s an MR33 running 2 networks. One for internal and one for internet only. I am authenticating against RADIUS on MS server 2012.
I have created a Corp SSID and a BYOD SSID. I have them both working as desired using RADIUS Auth. I created two policies in NPS one for corp and one for BYOD. I have the corp restricted to wireless PCs that are in the SecuredWirelessAccess group and Users that are in Domain users. This works when I don't have my BYOD policy on. I have them ordered Corp then BYOD.
If I disable BYOD and attempt to logon from a Mac that is not a domain computer it denies me. If I then enable the BYOD policy it allows me on the Corp network. My windows group BYOD points to the BYOD SSID, not the corporate. And the same for the Corp group. I am using MS PEAP with a server certificate and when I disable that on the BYOD Policy it does not let me connect to either network.
I know this is as much of an NPS issue as Meraki but figured it couldn't hurt to ask as I am sure someone has had something similar.
I haven't done this for quite a while. You need to add an extra match in NPS to match the SSID. I think you need to match on "Called-Station-ID". Basically look in the event viewer to see what is being sent to you as well in the RADIUS request and add something for that.