Ideally, you'd want to be using EAP-TLS. If that's not possible, you'd need to push users through some sort of configuration wizard to properly configure their supplicant (Aruba offers a tool called QuickConnect and there's others out there as well, but if you're going to push the user through a wizard, you might as well just use EAP-TLS). Also keep in mind that using a supplicant provisioning tool doesn't prevent a user from manually connecting and putting their credentials at risk.
So you're really left with EAP-TLS as the only realistic option. If you're not concerned about credential security for students, you could always leave them with the current deployment but I'd highly recommend you use a secure method for faculty/staff who generally have more privilged access.