You define policies to do what you want. Eg unless the username looks like host/*******.domain then reject

However, I would say don't do some of what you are planning. Leverage the functionality of 802.1X and your APs and let people log in with AD credentials, embrace BYOD but drop them onto a different VLAN

alan
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.