Any known way to determine inbound packets from the Internet originated on a wireless unit attached to a cable/adsl modem
Unfortunately, no. In a system like that, when the packet hits the wire, it has no signs that would tell you it originally came from a wireless STA. Well, the only way it may be possible is if it isn't being NATed, you could look at the source MAC and possibly determine that it came from a wireless device, but that would take a lot of time and research to figure out. In the end, highly unlikely.
Many Thanks. Obviously challenging in assuring that staff-owned wireless units are not in Open System state. Staff is required to use VPN client but that
does not address the Open System state. Any thoughts on steps to harden security?
Oh, now I know why you wanted to know this. If you are requiring an encrypted VPN tunnel, then you are good to go. When your users at home come in over wireless with a VPN, the entire Layer 3 packet is encrypted. Sure, someone on the street can intercept it, but unless they are able to crack IPSec or whatever you are using then your data is protected. By the way, someone on the street can't crack IPSec. :) This also goes for any of your staff that are in open hotels, airport, Starbuck etc. As long as they are coming in over an encrypted VPN tunnel, you are fine. Hope that help assure you!