We have got ISE for our wireless.
This is the SSID for Active-Directory Users, the ISE decides if the device has an certificate or not.
If certificate is ok: user has internal access
if no certificate: the user gets an Internet access only f.e. for his mobile devices, cell phones, iPads and so on.
It´s a two factor check: Active-Directory account + certificate on the device. And a easy to use with only one SSID for the employees. Guests have an own SSID.
Meraki SSID config:
You need to set up the rules on the ISE correctly.
And this is important:
You need to put in every Accesspoint with it´s IP-Address as allowed network address: