I think the real question here is what security problem are you trying to solve? WPA2 (and 3) enterprise already solves your goal of identifying users by using individual logins instead of a shared key. I'm really failing to see how MAC or DHCP based security adds any real security on top of that? If you use WPA2/3 PSK with almost any variety of extra MAC security: 1. For outside attackers: WPA2 PSK/enterprise will keep them out for quite a long time. 2. For attackers that already have the PSK: Option 1: Anyone with the PSK can decrypt the packets going to other hosts by observing a handshake. You can force a handshake by sending a deauth packet (unless you have 802.11W set to enabled or required) or just wait for a client to connect. Then you can sniff the DHCP traffic and learn the subnet attached to that SSID. The attacker then gives their device a static IP in that subnet. Ta-Da, they are past your DHCP/MAC security. Option 2: the attacker (with the PSK) changes their MAC address to match an attached device. Networking weirdness ensues, but the attacker can probably still access your network. Or, you spin up a RADIUS server like NPS, ISE or freeRADIUS and attach that to where you keep your user accounts. Then each user can only see their own traffic, and you can assign a VLAN or a Group Policy per user or user group.
... View more