Wireless Encryption Type In Outbound Packets? Enforcing Wireless Connection Type

Recently one of my clients had an internal breach of security (a
direct result of not implimenting a recommendation we made, I might
add). As part of a post-incident debriefing conference an issue was
raised about how to detect if a remote client was using an unsecured
wireless client. A question that was posed: is it possible to detect
simply from packet analysis whether a remote user's computer is using
a secure wireless connection- the object being to use firewall rules
to block access based upon such packet analysis results. I am pretty
sure that this isn't possible- that encryption and encryption method
(WPA, WEP) information aren't in TCP/IP packets.

Correct?