Hi Brian,
Is there a Security Administrator where you work? I would get them to write policy reflecting how student wireless access is to be handled. Typically this gets signed off on by the person at the top. If you already have a security policy, what does it say concerning student wireless access?
If they are adamant about having this open kind of access, then I would definitely try the Social Auth route. You can have Facebook, Twitter, Instagram, etc., as options for students to get access. Then I would put them in a roll that only has port 80 and 443 open and only to Internet destinations. Throttle them back to 256kbps. Ok, maybe 512kbps.
Then on the page where they can login with FB, have a link that says "Are you a student? Are you tired of logging in every day? Do you want HIGH SPEED ACCESS? Click here to switch to our secure network." Link this to our Standalone Quick Connect App (talk to your Aruba sales person or SE about this). Standalone Quick Connect will configure their device's supplicant to connect to the 802.1x SSID (installing RADIUS certs, adding the SSID, removing the open network SSID, etc.). Then with ClearPass, once they connect to the 802.1x SSID, we can trigger an endpoint attribute update called something like Secure-Network-Device setting it to True. Now if they try to re-connect to the open SSID, we can use the MAC Caching service to check for Secure-Network-Device=True and redirect them to a page that says "You have configured your device for Secure Network Access. If you are having trouble connecting to the Secure Network, you can re-configure your device by clicking here." This would be a link to the Standalone Quick Connect work flow.
Hope this helps!