Using iptables/ebtables is better than just playing with dhcp, as it prevents simple static IP assignment. But if you really want something serious, then you need to deploy 802.1x auth everywhere. And this is out of scope for SME as it's mainly configured at the switches layer. SME should be able to act as a radius server for those though