It sounds like you're thinking of applying static IP's to known devices and dynamic IP's to unknown devices in a completely flat network, and setting firewall rules based on whether it's a 'static range' or 'dynamic range' within the same overall subnet..
If that's the case, it's theoretically possible but pretty poor from a design perspective and I'd probably advise against it.
From a high level, there's probably a few better ways you could do this.
The cleanest way I can think of that would cover both wired and wireless clients is RADIUS 802.1x authentication.
Essentially, your devices authenticate to the RADIUS server and are placed into a VLAN (based on a designated filter). You can then apply the rules to the VLAN.
For your scenario, on the RADIUS server you can setup MAC address whitelisting for your known clients, and then send all other clients to a separate VLAN using CoA.
Clients can then be 'transitioned' from unknown to known by adding the MAC address to the whitelist.
References:
MS Switch Access Policies (802.1X) - Cisco Meraki
Configuring RADIUS Authentication with WPA2-Enterprise - Cisco Meraki
Otherwise, you can simply separate known from unknown by applying separate VLAN's, and separate SSID's (or using Identity PSK with group policies if the same SSID is required).