Our internal wireless deployment does what is outlined in this article. Using 802.1x, EAP-TLS, and an internal PKI, any wireless device that has a hope of gaining access must have a host identifying certificate. That cert is used to determine whether the device is allowed access, regardless of IP address, and then is the basis for a dynamic per session key. Layering WPA on top of this is an added bonus.

The concept can be extended to wired networks as well using the same 802.1x protocol. Regardless of the solution, guartanteeing and protecting host identify will be the issue.