Why don't you make a Vlan for corporate users and a Vlan for guest and students.
You can then allow students and guest only access to the internet and corporate users access to the printers, servers and internet.
Our college environment is setup in the fashion and it works flawlessly:
Aps are on default vlan 1 with all the switches and same IP range.
We have 3 SSID Corporate Wifi, Guest Wifi & Student Wifi
Corporate Wifi is for example vlan 2
Guest and Student SSID is for example VLAN 3
Our corporate users don't have to enter in a passkey for wireless as we are using radius server 2008r2 and their pcs have to be part of the domain computers group.
The guest ssid uses the guest feature of the zonecontroller and we generate 1 key once a week for guests.
The student ssid uses captive portal authenticating via their AD credentials on their domain controller.
Vlan 3 is blocked from seeing any other vlans on the main core switch so they only have access to internet.