use a separate VLAN and DHCP scope for staff and student devices.
The best way, if you've got the time, is to change your wireless authentication to use a RADIUS server with machine only authentication. Not only can you then distribute the wireless settings via Group Policy, but you can also control very easily who does and doesn't have access to your wireless network. :)
Ahhhh! Mac Filtering is one of the worst systems in existence, not because it's inherently an insecure system, but because everyone thinks it's bulletproof. Honestly a Mac is easy to spoof as one two three these days. Thinking that Mac filtering is a good mindset is not a good mindset at all. :( And no, it won't suffice for iPhones/iPods/Android either, you can spoof on them too I hear. Stop using WPA2 only, use certificates on the machines as well, perhaps under a different SSID to the ones that don't support certificates. My college has a Trusted, Guest and Other SSID, Guest is open and has a captive portal, Trusted requires WPA2 and a valid certificate, Other I'm not even sure what it's used for to be honest. And yeah, that's an Aruba system.
Originally Posted by Hedghog