Check out this site. They seem to have a fairly cool way of authenticating users for environments similar to the one you are setting up. I have not tried it so I can't say how easy/hard it is, or how well it works, but, check it out.

http://nocat.net/

Apparently what you do is set up a linux box(or something) behind the access point, with the no cat software installed, and iptables configured with it, when a user tries to access the wireless, they are unable to do so unless they have authenticated(they can use the wireless, but just can't go anywhere because iptables will not let them). In order to authenticate they just open a web browser and attempt to load their home page, they are automatically redirected to the login page for nocatauth(over ssl I believe so no worries about having passwords sniffed, at least not as many) where they can login, or not. There appear to be several different ways you can configure the permisions.

You do not use WEP so any traffic can be sniffed/monitored, except for the authentication to nocat, which as stated can be configured(or maybe has to be) to use ssl.

Good Luck.