MAC Locking on Wired Network

I just got back from a long stay in Iraq. While I was out, our network guys setup mac locking on every wired port across the network. It turns out, all our users are a bit jaded with the support they got while I was gone and haven't mentioned the issues they are now experiencing. Many of them use their laptops to work in several different offices across our campus. The MAC Locking is now a serious detriment to business.

However, I am conscious of the security purposes for doing this. I would like to offer a better solution. I know we could go with 802.1x. What other options are out there? We are a full Cisco shop with the latest and greatest technology. Between MAC spoofing and the fact that all offices are secured and all visitors require an escort, I don't even think it is necessary.

Any advice?

Its all going to depend on what you are protecting. You need to do a risk analysis and determine if the MAC filtering is causing too much inconvinence. At the end of the day, there needs to be a balance between security and usability.

Like you said, 802.1x would be better as it protects at the port level and users need to authenticate which means they can plug into any port as long as they can authenticate. Also Cisco NAC will give additional features of doing end point checking on hosts to ensure that they are at a base level before they get network access.