take the wifi to a separate segment to begin with? change authorization to radius?

A white list of MAC addresses must be done. Plus L2 switches to be able to show a list of poppy addresses on the port.
You put a whitelist, make up a register of connected equipment. You calculate the malware - and draw up an act of interference in the corporate network. And the head of the information security service on the table.
It is necessary to approach in terms of "Information security" - perhaps it happened more than once a month, but at the time of a major transaction, filing applications for a tender and other important events of the company. The failure of the network was caused intentionally, since spam DHCP requests are not possible in standard software. Perhaps somewhere in your network there is a "bookmark" that is activated by intruders and lays down your network. It is necessary to study when this happened what the employees did.
Perhaps the guest Wi-Fi was hacked due to its incomplete isolation from the main network.

Yes, the wireless network must be separated from the wired network, there are no options. And so, try to either block the mac, or tie it to a specific ip. You can also reduce the lease time for the IP address.

Reanda time 02:00:00
In DHCP add arp for leases checkbox,
Guest Wi-Fi in a separate vlan