I've been playing around with wired 802.1x w/ MAC authentication fallback - doing authorisation based on device fingerprint in the endpoint database.
Is there any way to force the endpoint's profile information to be updated with every DHCP request that gets relayed to ClearPass? Looking at using this mechanism to stop MAC address spoofing...