It is solved on the basis of hardware and not software.
Put a "smart switch" on the ports, set up a poppy filter.
With wi-fi the exact same story - the white list of poppies.

this is solved either by hardware (such as binding a mac to a switch port or even through 802.1X), or administratively - issue a document on the prohibition of connecting left devices to the network with a description of the sanctions, set up DHCP / ARP monitoring, a couple of times exponentially dry up those who do not understand - and that's it.
The most reliable is 802.1X. But you need smart switches + RADIUS. By the way, you will also get additional profit from this solution in the form of the ability to divide computers into VLANs, allocate all sorts of quarantine subnets, etc. But not easy.

There is also 802.1x technology. Port security. You stick a computer into the port - and it asks for a login and password. If the link is correct, the link is raised, the address is given out....
But for this, you need the appropriate equipment...
For now, if I were you, I would select a certain range in dhcp, which is issued to unknown equipment. And all known - would fix poppies and give addresses out of range.
Well, by highlighting the unknown in a separate block of addresses, you can already do something ... Do not open access to the Internet, what else is a thread ...

If everything is really bad, there is no money for hardware (managed switches are the correct answer), then you can throw out the "wrong" hosts from the network by ARP spoofing.

Just keep in mind that "coolhackers" can also replace poppies

If you have CISCO equipment, it is fashionable to use a security port so that when an unknown device is connected, the port is disabled, because it is impossible to revoke the IP issued or registered statically from the equipment, you will have to run around the floors and look for who connected the computer there is still NAP from microsoft