Re: Good idea in principle
Agreed. I've dealt with IoT devices ranging from sprinkler controllers to thermostats to DVR's to cameras to "smart" MoCA adapters to video streaming boxes. I've yet to see any that have the ability to interface to my main WPA2 Enterprise WiFi SSID backed by a radius server. As soon as IoT crap started showing up, I had to create at least one WPA/WPA2 - Personal SSID for them.
Other than reconfigure their admin credentials (& hope they don't have undocumented other hardwired accounts I can't see), all I know I can in general do is
(1) Have the SSID they log into have a MAC Address white list.
and
(2) Have the SSID they log into configured so that if the IoT device has to access the Internet then it can't access any computers, and if it does not need to access a computer then it's on a LAN/VLAN that is devoid of any computers/servers. In other words: (a) Be on a LAN/VLAN that no computers/servers are on. or (b) If the IoT device must see an internal computer/server, then have a firewall rule blocking it from accessing the Internet.