Currently, we deal with this type of issue by:
1) Delete the DPSK belonging to the user.
2) Add the MAC address to a L2/MAC Access control list which is banned from the "JOIN" network. (All users usually have access to this network to obtain a DPSK).
3) That forces the user onto out GUEST network (which they have to pay for) and that network offers them the chance to "unblock" themselves, by forwarding them to xxx.xxx.xxx.xxx/activate.
4) By comparing entries on the banned L2/MAC Access Control list with the generated DPSKs we can see when a user has paid for their access, generated a DPSK and we delete their MAC address from the Access Control List.
A little "bitsy", but it works nicely and without too much interference from us.