There's a decent amount of infrastructure involved in getting 802.1x authentication up and running in an efficient manner. While it does provide very good security, it's not widely used because of that.
There really isn't one. 802.1x is the wired security standard, and almost never worth the hassle for home or small business networks unless you are really interested in learning the ins and outs.
Having a list of allowed MAC addresses, enforced per-port by a managed switch (or at least by the DHCP server and router), is a first step, though naturally it's easy to spoof a MAC address.
> though naturally it's easy to spoof a MAC address.
I used to live in an apartment that was within high gain antenna range of the local McDonalds Free WiFi. I had a antenna/wifi adaptor set up in promiscuous mode to listen to all traffic on their network, looking for MAC addresses that connected for a while, then stopped connecting. It'd then switch to that MAC address and BitTorrent until the 500MB daily cap per device ran out, then go back to monitoring mode looking for someone else who'd agreed to the captive portal T&Cs had their MAC address whitelisted and then left. I think I got pretty much all of Game Of Thrones that way...
For a little while, I was monitoring my own home network, and one thing I tried was running map against any reconnection of a known/allowed MAC address, to try and confirm it at least looked like the same device. A RaspberryPi connecting using the MAC address of a phone or a MacBook stood out like a sore thumb. That never turned out useful enough for me to bother wrapping it up into a project I kept running or would have shared.
MAC address filtering isn't a first step towards 802.1x, precisely because of the reason you mentioned. It's damn near pointless for all but the most basic security scenarios.
