SD access can be alsoe integrated with ISE(Identity service engine) which can detect any rogue PC in your network.
ISE centrally know what are all the end points in the netowork and where they are located.
So with all this info how does ISE does identity based access.
ISE specs--
1- it can talk to 100k network devices.
2- 1.5 million end points
3- 300k internal user accounts.
4- 1 million guest user accounts
5- 1 million user certificates.
Following is the link for more information on ISE:
https://www.cisco.com/c/en/us/products/security/identity-services-engine/index.html