If secure NAC is the priority, then I'd recommend checking out 802.1X protocol in conjunction with a RADIUS server. Basically, when someone connects to a port, they are allowed to communicate with a RADIUS server (using EAP). They must authenticate through RADIUS before the port is opened.
Additionally, the RADIUS server can relay a VLAN ID to the switch, based upon the end-user's account. The client device is then placed into the appropriate VLAN.
Note that RADIUS can also be linked to your local MS Active Directory.
If you use EAP-TLS, then both the switch infrastructure and client devices can be verified as genuine corporate devices, using certificates. Validating certificates through a Certificate Authority (such as Verisign) adds yet further security.
The new 3850 series switch has additional capabililties that make 802.1X easier to mitigate some of the drawbacks. For example, you can enable specific ports with 802.1X instead of the entire switch.
Whilst it would take some work to setup, I suspect it would require less day-to-day maintenance. It would also be a more secure and could lead the way to employees bringing in their own devices, if you wish.