Is MAC address filtering the most suitable option to prevent someone connecting their own device to the network by plugging into Ethernet wall sockets? What if they unplug a device and clone its MAC?
How to stop an intruder plugging into an Ethernet wall socket getting access to the network
ieee-802.1xmac addressport-securityrogueSecurity
Related Solutions
Lucas's answer above is a bit of a starting point. There are however two or three other things that must be considered. These end up being somewhat outside the scope of network engineering, but certainly have impacts for network engineering and security so here they go.
You probably want some way of preventing wireless cards in company laptops from being switched into ad hoc mode. Assuming the laptops are running Windows, you probably want to use a GPO to set to infrastructure mode only. For Linux, it is harder to fully restrict, but there are ways to do this too.
Enforcing IPSec is also a good idea, particularly with good key management and trusted enforcement. For example if you can go to X509 certs for key management this can keep unauthorized devices from communicating with the rest of your network directly. Consider key management as a core part of the infrastructure here. If you use a proxy server you may even be able to block unauthorized devices from accessing the internet.
Note the limitations of your efforts. None of these prevents a person from setting up an unsecured wireless access point connected to a USB NIC, for sole purposes of communicating with their computer, especially if the SSID is hidden (i.e. not broadcast).
Not sure how to further contain problems or if further paranoia is well past the point of insufficient returns.....
I don't know of any switches that are 802.1x supplicants, so Option A is probably out. So between Options B and C, the primary difference is cost. I imagine rewiring your office is both expensive and disruptive, vs the cost and the hassle of managing all those new switches.
The real question you should be asking is, what threat am I defending against, and what is the real risk? Are you really worried that someone might sneak into your building (I have no idea what kind of office you're in or where it is) and plug in an unknown device? Why would they do that? The question should not be "is it possible," but "is it a significant risk worth the cost of rewiring or buying new switches?"
As an example, in the office I'm currently working (a quasi-government agency), we do not have 802.1x. In theory, anyone can plug a device into the network. But in order to do so, you first have to get by the guards at the entrance, and you would need a badge with a card key. If you are an employee, you would know that there is a policy prohibiting unauthorized devices on the network.
Clearly, if you really, really wanted to, you could bypass all these controls. But management has decided that these controls are sufficient, given the risk to the network. Frankly, if you really wanted something on our network, it would be easier to pwn a machine and steal it remotely. That way, you could take your time and avoid the risk of detection and arrest.
My point is: just because you have a shiny new 802.1x system for wifi, it doesn't mean you need it for your wired network. Or if you do decide to use it, tamper-proof boxes, etc, may not be necessary. You (and management) need to weigh the risk against the cost of new switches, wiring, maintenance and reliability (what happens if your RADIUS server crashes? Does that block all network access?).
Maybe you work in a high-security environment where all these controls are necessary. But I'm guessing you have a solution looking for a problem. Best to weigh the risk vs cost. That analysis will allow you to justify the costs (monetary and operational) to management.
Best Answer
MAC address filtering itself does not provide much protection. As you pointed out, a MAC address can be cloned. That doesn't mean it can't be part of the overall defense strategy, but it can be a lot of work for very little return.
You need a comprehensive security policy which can include such things as:
As a locksmith friend of mine once told me, "Locks only keep honest people honest." The bad guys will always find a way; your job is to make it not worth their efforts. If you provide enough layers of protection, only the most determined bad guys will spend the time and effort.
You have to weigh the risks with the resources (primarily time and money, but lost productivity, too) that you are willing to put into securing your network. It may not make much sense to spend thousands of dollars and many man hours to protect that garage-sale bicycle you bought for $10. You need to come up with a plan and decide how much risk you can tolerate.