There are two parts to this issue:
(1) Possibly deploying 802.1x
(2) Does every department need their own subnet?
With regards to #1, 802.1x is complicated, but not impossible. It should be done separately from #2, because it requires the configuration of a Radius Server, a Certificate Authority and Clients, which should be piloted before going into production. If you have a domain, detailed information on how to deploy radius on an NPS server is here: http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Step-by-Step-How-to-Configure-Microsoft-NPS-2008-Radius-Server/m-p/14392/highlight/true#M6113
With regards to #2, alot of people think that they need to deploy differing users into their own subnets, but an ip address is just a way to get traffic to and from users and adding a subnet for each floor or each department demands creates management overhead (more subnets), but does not really do anything, security-wise. Realistically, you need to deploy #1, to be able to differentiate users (typically by AD groups), before you consider #2., since there is no way to even differentiate users securely unless you use 802.1x.