We have had 802.1x -- CISCO + Active Directory Integration -- in place for over a year know and it is largely a success; windows systems automatically obtain machine certificates (machines automatically receive certificates when they join the domain), supplicants exist for our IP Phones, and those devices (i.e.: printers) that are currently incapable of 802.1x are split off in a tightly controlled VLAN.
There are a few stragglers in this rollout: IT and development staff with 3+ desktops need to use a hub because they don't have the port density at their desk and our switch does not permit multiple nodes on a hub to authenticate individually, having to leave the port open for the devices (sometimes we are successful in moving the extra devices into a locked room). We are also adding Apple OSX machines and they are … finicky when it comes to configuring 802.1x machine auto, not to mention that there is no auto-enrollment setup to programmatically obtain and install machine certificates into Apple's System keychain. (Resource scalability problem.)
So, it's not perfect but it's better than 80/20, probably 90/10 -- maybe even 95/5. Of course, that still leaves the '5 or 10' that will be vulnerable to MAC address stealing, allowing some malicious individuals in the right circumstances to gain unauthorized access to the network.
Purists will point out these faults and admonish anyone for the remaining gap. It can be argued that nothing is perfect, the security posture is actively improving, and that the effort to close the gap is larger than the remaining risk and likelihood of exposure. The security is "good enough".
The argument that security can be "good enough" but not absolute is not new - google reveals many opinions on this topic. (Gartner stirred this pot in 2006). My consternation is around how can we as security practitioners quantify and agree on a measurement of good enough? How do we explain to lay people the value in leaving some holes open, so that focus can be paid to open holes in other domains?
