My current org restricts wifi by user and by device in Active Directory. Thus you need to be whitelisted twice to get access.

We use 2fa pretty much everywhere, but I don't think we use it there. But it certainly wouldn't hurt as yet another layer.

Wifi adapters should be disabled via Group Policy for wired devices anyway.