The best practices I've read lately involve getting rid of Mac address lockdown (which is spoofable) and instead relying on PPPOE, using RSA SecurID fobs, or using a free pppoe client + strong password encryption.

Requiring individual user identification rather than knowledge of the key (which is crackable with widely known software) or mac addres (which is easy to spoof if you do a little sniffing in promiscuous mode) should get you further.

I read a white paper on this somewhere with regards to setting up a wireless freenet in a rural part of America, where the chief concern was theft of service that would limit the ability of the operators to control bandwidth utilization.

DB

We are moving into larger offices later this month. The buildings we are moving out and and into are both regional development buildings so house multiple companies, hence we hide the AP, limit MACs, require a strong key which will change every month or so and have it on a NIC that's firewalled. Not much else we can think of on a practical level... Unless you guys can.