Instead of a username/password approach, why not use MAC-based access? This method will allow you to both control who is connected and monitor bandwidth utilization based on the physical address of the network interface card.
Take a look at Sob’s last post in this thread:
http://forum.mikrotik.com/t/no-out-lan-if-not-on-allowed-mac-acl/105981/2
His firewall entries will essentially will block any MAC address that is not listed above the final “add action=reject chain=outgoing reject-with=icmp-admin-prohibited” rule.
While I admit doing this for 500 MAC addresses could be time consuming, it also guarantees only those MACs are allowed on your network. Plus, you should be able to get he vast majority of the MACs via your DHCP leases now.
Just a thought.