Any ideas are welcome!
You can play with ttl, but they can also. You can register mac but they can copy it. You can install a tool on the workstations that can check the locally assigned ip against the natted ip and report the difference to your server that can initiate the cut off. In case the stations belong into manageable domain…
Thanks, I’ll try TTL to start with!
Any suggestion on a decent value to start filtering on? Btw, is the internal TTL translated/terminated in src-nat and gets another TTL on the outbound side?
If your network is flat switched, set ttl 1 to all packets going inside from outside.
http://forum.mikrotik.com/t/how-to-make-ttl-1/12304/1
Excellent, thanks for the pointer! Since it’s “flat switched” (like the term btw 
it should probably work in this case.
It will work until the sharing device changes the ttl to higher value instead of dropping the packet. So as I said before…
Well, it’s good enough to prevent a “normal” ad hoc installation and not for the professional villain with deeper technical knowledge 
POST a sign in all offices spaces.
"Any use of unauthorized Network Devices will be grounds for immediate dismissal! "
From a leadership point of view, why is it that employees feel they need wifi or more internet.
There may be a business case to provide better services!
Well, the regular access is somewhat limited because of previously misuse and someone got the brilliant idea to bypass that limitation. So i’m not quite convinced regarding the business case this time! 
So how it works now?
Yes indeed!
Rumors say some of the co workers got very puzzled when their personal hotspot stopped working but were still able to use their laptop on the same connection.
Good. If they are smart, having cheapest mikrotik and reading this forum (even without all of it) they will easily overcome what you did.