You may be able to find some extensions for NAC/NAP that will check the device itself for something that says it's bona-fide company issue before issue of ip. Alternatively you could run single ip per user / crypto with MAC filtering ( i'd by pass this by routing / natting my home devices through my company laptop )