[bleke]

Very ineffective solution for this type authentication, currently any manageable switch has option to enable packet switching only between selected ports (and is same with wirelesses, you can set that clients don't communicate directly), just use firewall plus few scripts and solution ready.

For universities there are thing as eduroam, which works like following: 1. there are 802.x authentication with certificates and users + password; 2. for legacy clients just landing page with firewall tricks

[gandem]

You do not solve the problem of traceability with packet switching.

Regarding eduroam your comment is incorrect. Most 802.1x auth in universities with eduroam use peap+mschapv2 which is a serious security issue (md4 nt hash). It is way too cumbersome to configure eap-tls and certificates. There are ways to get around it with passpoint/hotspot 2.0 provisionning but this is far from being supported on devices.

[sbutt]

Our solution seems way cleaner than what you suggest. There is very few maintenance with our current setup and any student can connect securely to any AP are port in the campus. Our experience with custom scripts is not very satisfying.