I have to disagree about port security, and I'll explain.
For his scenario and his needs, port security is too inflexible and the wrong tool. Port security is meant for you to specify what MAC address(es) a port should receive frames from and to drop all other frames. An appropriate scenario would be if you wanted a certain port to ONLY receive traffic from a specific connected device, and if someone unplugs the device and plugs something else in, the port would neglect the traffic. It's an appropriate solution for public-facing network-capable devices.
The reasons why port-security is the wrong tool:
Configuration
Configuring port security would be the biggest problem. Sure, users can go to him and "register" their MAC addresses, but the administrative overhead in that would be extremely time consuming. He'd have to SSH/telnet to the switch, know exactly what port on the switch the user would be connecting to, and configure the MAC address there. This is granted that he doesn't have to trace the cable from the wall jack to the port on the switch, because that would just increase the amount of time it takes to setup a single user. Additionally, MAC addresses are configured on a port-by-port basis. What if someone moves their laptops around? What if computers get relocated? He'd have to reconfigure the MAC addresses on the ports and set aging timers where needed. Sure, he can record the MAC addresses somewhere (Excel spreadsheet) for easy reference, but he still has to punch the commands in on the switch, SSH where needed, and verify that it's the right port. Every time a new computer/laptop is added to the network, he would have to get the MAC address and configure it on the switch as well.
You can bypass all these hurdles by configuring port-security to register the MAC address of the first frame it receives (which would be the first computer/laptop that connects to it), but if an unauthorized user plugs the laptop into it first, the security will have been defeated. Even if he sets up port security so that multiple MAC addresses are allowed, security would be defeated because an unauthorized user would be able to plug their device in and gain access.
Also, in its initial installment, port security would be a huge pain. He'd have to survey all the computers/laptops for their MAC addresses. Again, he could SSH to all the switches, run show mac-address-table and get the MACs there, or he could find some tool that automatically does this, but he'd still have to enter the commands for each port.
Troubleshooting
It's bound to happen: someone plugs their laptop elsewhere and wonders why their laptop can't connect to the network. This results in a helpdesk call. The helpdesk can't do anything because they don't have access to the switches. This triggers a call to the network engineer who has to stop what he's doing to figure out what port # it is and what MAC address it is.
You can set "IT policy" that everyone must register their MAC addresses, but again, that places inflexibility on the business…if not defeating the purpose of being a mobile user on a laptop (granted there's no wifi) since the mobile users can't happily move around with their laptops
Also, it sounds like only authenticated users will be able to access the Internet, and if they're not authenticated, they would still be able to access the local network. With port security, they would be able to access all or nothing because port security can't differentiate Internet vs local network traffic since it's an L2 technology.
Reporting
My understanding is that Wireshark only (or mostly) sniffs traffic and has no reporting capabilities. Then again, I've never bothered to look at what it's other features are. I'm sure it's vast because there's a book AND a cert for the tool, but I digress. If the CEO wants reporting, a more purpose-built, sophisticated tool would be needed -- a proxy server.
A proxy server is specifically built to filter web traffic and perform reporting…that's the selling point. I know with ISA 2004, you can integrate it with Active Directory and specify what users/user groups will be able to access what sites…or if they can access any sites at all. A proxy server would allow users to connect their laptops/computers to the network, and if they're authenticated (via ISA's integration with AD), then they could access whatever. If they try anything else, they're blocked and it's logged. If an unauthorized user tries to access the Internet, and if appropriate ACLs are in place on the Internet router (to only allow traffic from the proxy server and other key servers), then the unauthorized user would not gain access.
Once the proxy server is installed, he could use existing technology (Active Directory group policy) to setup everyone's IE to point to the proxy server...and the proxy would do the work from there.
There are other offerings for proxy servers, such as Untangle
