I am implementing new SSIDs with proper security to replace a patchwork and insecure wireless "solution" I inherited and am wondering if anyone has any input or recommendations.

Background:

My company has patchwork wifi solutions in place including, a Cisco 2405 with 3 SSIDs supporting 2 locations, a scattering of eero home-style mess network devices providing "guest" type access and then about 20 Meraki networks with wireless (these are typically a "mixed" network with MX, MS and MR devices). There is overlap of all 3 solutions in various locations. There is also a mix of SSID throughout the company requiring different PSK. (General nightmare)

Generally we have a guest and an employee network that allow access via a PSK that has been in use for 10+ years.

Devices are a mix of laptops (domain and non-domain), end user smart phones and work provided tablets and handhelds. Of course many of the devices and non-domain computers needs access to specific network resources.

My plan:

1. Replace all non-Meraki solutions with MR access points and consolidate all SSIDs to 3 or 4 that span the entire company.
2. Build an SSID that will use RADIUS authentication for all the work computers and use Active Directory to deploy the PEAP wifi profile to all the PC so users wont have to sign into the wireless on their computers. This will be a hidden SSID.
3. Create a guest network that will be isolated from the LAN and have a splash page with a usage agreement to click through. This SSID will require daily renewal via the splash page.
4. Create an "employee" SSID that will provide internet only for all personal phones, non-domain laptops and other handhelds that do not need network access using RADIUS to authenticate and be isolated from the LAN.

I am open to any suggestions for any item but here is where I primarily would like some input:

My options for providing access to resources on the production network for devices that are non-domain are:

1. Create group policies in Meraki that tie to an Active Directory sign-on's to allow to specific server resources when on the "employee" SSID. (easy)
2. Create group policies in Meraki that I would then apply to specific devices to allow specific server resources to devices on the "Guest" SSID and bypasses the splash page. (not as easy but more secure?)
3. Create a 4th SSID for any devices that need access to server resources, isolate them from the LAN and make specific firewall rules for access to resources. Meraki group policies could be use here as well. (I prefer to have as few SSID as possible though)
4. Other options?

Looking for any real life examples, recommendations or warnings any of you may have.

Thanks!

DerikA