Cisco NAC provides support for non-reporting devices such as printers, IP phones, UPSs, etc by adding them to a filter list.
This allows these devices to basically bypass the NAC system and just exist on the network.
My question is this. If we exempt these devices from NAC assessment, where is the security in that? What stops someone from putting a printer's MAC address on his laptop?
I can't imagine this issue hasn't been brought up before but I can't seem to find an answer.
Thanks in advance for your response!
Yup, thats been a big criticism with the NAC appliance out of the box. There is no way to prevent MAC spoofing. Cisco has a separate appliance called NAC profiler, which solves this problem but it costs extra.