HI @Jake

I wouldn't do that.  Setup one SSID for staff and use WPA2-Enterprise mode.  Every user and machine is authenticated using their AD credentials.  There are no splash pages - staff get in without having to think.

Then for guest create a splash page.

Hi,

we use Cisco ISE as an radius server. The ISE is connected to the Microsoft AD and the Meraki WLAN is connected to the ISE.

Once a user wants to connect to the internal SSID the ISE checks if the device is allowed to go to the internal LAN (it´s checked if windows devices have an certificate and if the useres connecting with their AD account to the SSID). If the device is not allowed to the internal LAN it will placed to the "external" (V-)LAN for internet connect.

Guests will connect to an Guest-SSID with frequent changing preshared keys routet dirctly to an external VLAN for internet access.

regards

redsector 

Maybe you'll get some ideas from this...

At any given time, I have at most 3 SSID's being offered.  I'll define them below:

• ACS-Wifi:  Production wireless network for district-owned devices using PSK.  I push this config to all devices using one management tool or another depending on the device.  VLAN 4 with full network access.
• ACS-BYOD:  BYOD networks for staff and student personal devices using a combination of RADIUS and Meraki group policies to further segment based on AD group membership.  IT, Staff, Students, Admins all get a different VLAN up authentication.  This keeps me from having to have multiple SSID's achieving the same result.  Depending on the AD group membership, the Meraki group polices are allowing or disallowing certain network access...file servers, etc.  Filtered using framed IP address and ias logs on the RADIUS servers to tie username and IP address together thus providing the same internet filter policy as if logged in to a Windows machine. VLAN's 20, 30, 40, 50.
• ACS-GuestSecure (M-F 6am-4pm using Meraki SSID Availability):  For non-employee/student visitors here for education reasons (deemed so by principal) that need wifi using Meraki splash page and authentication.  I have a guest ambassador at each site and using OneLogin SAML SSO and Chrome extension, the guest ambassador has one click SSO into their portion of the Merak dashboard to create true guest accounts as needed per the discretion of the principal.  VLAN 250 and this entire network is filtered using my internal content filter set extremely loose so that education-related visitors should have no issue during their visit.
• ACS-GuestOpen (M-F 4pm-6am and all day Saturday and Sunday):  For after hours guest wifi for anyone at any of our sites.  Meraki click-through splash page after agreeing to our terms of use.  VLAN 200 and filtered in the same method above, but with a student level filter policy since it is anonymous.

Below is each splash page followed by their scheduled availability: