It would depend on how the consumer router is plugged in. If it is connected using the WAN/Internet port, then the device will likely DHCP and behave like a router. In this case you can use ClearPass profile information to deny access to the router.
If they connect it using one of the LAN ports, it will behave more like a bridge and you'd need your wired infrastructure and NMS to detect the rogue device and shut the port down. In theory, anything plugged into this router on the other LAN ports should be put through an auth process on the upstream switch.