Differentiate between BYOD and corporate devices - looking for some input

[Mathieu Simon (Lists)]

Hi

I've been thinking about how FreeRADIUS would need to be configured to
differentiate between authentication requests from BYOD devices and
corporate
(typically Windows Domain members) and i.e. put them in different VLANs.

I've tried to find things that might be used as differentiators when i.e
using PEAP-MSCHAPv2:

Windows Domain member using PEAP-MSCHAPv2  send requests differently not
having any domain part.
Hosts authenticating use host/<hostname>$ formats for their username
they send... IMO not really a reliable
way to differentiate them in my opinion, an end user device could
imitate that as well.

The thing I currently see, is Calling-Station-Id being sent to
FreeRADIUS where one could detect if a device is
corporate-owned and thus i.e. an SQL database could be queried to check
if the device figures in the known
corporate devices DB. But then again we all know how easily
MAC-addresses can be faked.

Is there something else I'm likely missing here?
Do some of you use different EAP methods like i.e. EAP-TLS for corporate
devices while
a password-based method is used for personal devices. Ideally if a
certificate was given out for each
corporate device and user as well as per BYOD device, well then it would
be easy to identify things...
But that's requiring a whole CA and issuing infrastructure while trying
to keep onboarding personal devices
as simple as possible for users.

I don't have a urgent need for it right now but I have tried to get an
idea on that topic yet haven't
found a satisfying path (and without working every day with FreeRADIUS
that is).
Maybe someone is willing to share his or her experiences?

-- Mathieu