To be honest, I'd ban the MAC before spending any money!
Interesting read, how did you get on in the end?
I set up a laptop with ubuntu to run Kismet and ... they stopped!
Anyone with a working knowledge of Backtrack would know how to spoof their MAC, would know what can and cant be hacked and would at least attempt to cover their tracks.
I use MAC filtering on top of radius to try and minimize this kind of thing. Obviously I don't have a BYOD wireless system yet!
Its does require maintenance but at least you're putting a first line of defence in, not exactly rock solid but it slows down the lazy hacker!
So an update : I found out a couple of things. First, Meru's Interactive Per-Station Event Logging Shell described Here allows me to track events by their MAC address and shows me which AP they are trying to connect to. That allows me to track to a reasonably tight location when they are in a class. I then have two techniques to narrow it further :
1. Set Intersection : Monitoring for a week or two - not constantly but looking a few times within a lesson time and recording the approx location. I can then tie that in with timetable data to narrow down which classes were close to those locations at that time.
2. Wireshark : Use Wireshark with the wireless card in monitor mode + Promiscuous, use a filter to only show traffic from the MAC address I'm interested in. Capture and display the RSSI headers which give a signal strength for each captured packet. I have this on a small, light netbook running Ubuntu (windows seems to prevent access to network card functions which are critical to this) so I can wander over to the location the Meru monitoring gave me and pretty well tie it down to a class on signal strength. Generally devices seem to give away what they are (HTC, Samsung etc), so if necessary we could use that to narrow it down to a few students and proceed from there.
I'm hoping the warning I put to a class this morning will have the necessary effect. If it does I'm 1 down, 5 to go.