Anyone seen this?

http://pwnieexpress.com/pages/nac-802-1x-bypass

Unreal... how could you possibly defend against this?

Well. First of all this device is for an insider threat and the prupose is to gain access to the network using a device that hasn't been locked down. Assuming you have implemented an adequate multi-tiered security strategy you should be able to catch them at other points in the network.

It brings to mind the question a friend of mine over at Cisco once posed: "If you had to invest 70% of your IT security budget in prevention OR detection, which one would you chose?" My choice would be detection for this very type of scenario. NAC is a prevention technology.

However to answer your specifc question welcome 802.1AE, otherwise known as MACSec. It's basically IPsec done at layer-2 and takes this device out of the equation.