Mix chat roomxxx
Here is a non-technical idea: This is a school, right? Teach them the importance of consequences, acceptable use, the illegality of hacking... I mean, give them access, to a separate filtered network if need be, and create some curriculum around that.
Just FYI because this "they're just high school kids" is being used to set a false bar for "good enough" security.
Additionally, a malicious user could start attacking other machines directly.
The best solution would be to implement WPA2-Enterprise, instead of using a pre shared key (WPA2-PSK). This is implemented by installing client certificates on each machine.
One of them will get the password, and it travels like wildfire throughout the school.
It is sometimes as simple as writing it on a wall where the rest of the students can get the updated password. I'm considering entering MAC addresses, but that's very labourious, and still not a guarantee of success if they spoof the address. Some background: There are four routers in a 50-year-old building (plenty of concrete walls). They are different brands and models (Netgear, Asus, Acer, D-Link) so no central administration.