Heads Up :
The post you are writing will appear in a public forum. Please ensure all content is appropriate for public consumption. Review the employee guidelines for the community here.
If you use a pre-shared key you cannot stop people sharing it - that's an inherent risk with PSK.
You will need to use 802.1x with unique user IDs and 2FA to ensure that access can't be shared or certificate based authentication but that's more difficult to do on BYOD devices.
On top of what others recommended you can also disable Layer 2 authentication and rely on Layer 3 authentication using a captive portal with local authentication on the EWC. This is the easiest way to solve the problem without adding much complexity, however I would still prefer what @Rich R has suggested as those methods are considered gold standard when it comes to wireless security.
Exactly! Even before private MAC address anybody with the technical knowledge could change their client MAC. Since Private MAC address, frequently changing random MAC addresses, is now a standard feature in almost all OS. And MAC filtering is not "secure" for the same reason - any user can fake an allowed MAC address. Obviously it will cause a problem if 2 users try to use the same MAC at the same time but the point is that it is not secure and it will not stop people sharing the key.
