It's not my field, but at least at my work the network can somehow tell the difference between an authorized user and not. It is not simply using the MAC address.
A guest device connected to the ethernet port in the conference room has the same access as a device connected to the guest wifi, a staff laptop has it's usual access.
Probably a RADIUS server setup.
Basically staff machines get a certificate to present to the server and the server controls the network.
So, if your machine does nothing, it's on the guest vlan and has limited access. If it presents a valid certificate that network port is reassigned to the staff vlan and you get full access.
If someone leaves, you just revoke the certificate and they have guest access again.
Not rocket science once you know it :)