I am a beginner in such practical matters as I have never blocked connections or used ARP etc and have blindly used DHCP auto.
Problem: How to prevent users, who have SSID password, from adding additional devices to the network. The password is required for iphone, ipad, access etc… standard usage.
First thing that came to mind is to use access list in wireless menu ?
Don’t know how practical that is, for home use could be okay. Or is it possible to block all connections that are not on access list
True but there exists such a thing as random mac address for some devices.
Then it becomes a game of Whack-a-Mole.
Or … like firewall strategy.
Block all.
Only allow what you know or what plays nice.
Why not two pronged approach.
Get a list of current IPs, make firewall address list use in forward chain rule.
Make DHCP static…
y/n ?? assume that wifi is not MT. 
MAC auth, perhaps annoying, is one way. But simple config.
Second, be enable the hotspot feature, it deals with this sort of things. If you follow MT’s hotspot docs… just replace an VLAN interface, instead of a bridge… Might be close to something acceptable. Nothing stops you from putting a password on a hotspot’s SSID to get the encryption. And with wifiwave2, you can use OWE authentication, which is an open network, but runs encrypted WITHOUT needing SSID password.
Third option… use WPA2/3-EAP with user-manager/RADIUS. Similar to hotspot, but phone will prompt for username/password, instead of a popup. And you can do stuff like VLAN assignment based on the user provided, which is added benefit in this approach, using only one SSID. Great for smartphone/desktop, but IoT tougher with this one.
And option 2, /ip/hotspot on a VLAN allow non-Mikrotik Wi-Fi…
FWIW…While /ip/hotspot hasn’t changed, between Wave2’s OWE and a DHCP option that says it’s a hotspot… devices act much better with a captive portal than they did 5+ years ago… And it works on VLAN so easy to try…
I was not assuming 
Dhcp server with split subnet
A known section with static ips
A pool for those not known, dynamic allocation.
Everything in the dynamic section can be HEAVILY restricted by firewall. Even to the point of being completely blocked. Up to you.
The known addresses are treated more liberal.
I like Amm0’s suggestion more, though…
I don’t play favorites. Your approach works too… e.g., a white-list in dhcp, with dynamic DHCP being block/“disfavored”, using some address-list in between.
While hotspot does allow you have a “user” that allows one device only to login…a hotspot user can “logout”, and use a different device in the hotspot scheme. Dunno if that be okay here.
I don’t think there is a perfect solution here.
Hi there Anav.
Do you have Active Directory running in the environment?
If yes and Access Points do support RADIUS, than maybe (but only maybe, sorry) you can try to use the Windows NPS on AD server to allow only trusted users and devices to join the network.
The rule in NPS will be something like this:
If you are not familiar with RADIUS it will be a hard time for sure - just saying.
But these rules are depending on:
It’s a 802.1X scenario which is possible to obtain for wired connections (if switches do support it), but I’m not sure it can be done on wireless devices.
It’s just an idea, very complicated though.