Hello Justin
If I understood your argument correctly, you mean connect something like an access point or a SOHO router to the port-security enabled switchport and have that device perform NAT, where all hosts connected to that device will communicate on the network via the 802.1x enabled port using a single MAC and IP address, thus defeating port security, correct?
Yes, this would “defeat” 802.1x if you had configured it to allow any single MAC address. However, you can configure it to allow only a particular MAC address, that of the only allowed workstation or device. In this case, if you were to unplug the workstation and plug in the SOHO router, the MAC is unrecognized, and 802.1x is activated.
There are quite a few parameters available that will allow you to certify that only those that are allowed to connect to a particular port will be able to use it. You can even set up remote authentication using a RADIUS server, where a password is required from the host to enable connectivity, something that a simple SOHO router using NAT could never compromise.
I hope this has been helpful!
Laz