Hi, We have multiple lines of defense against this sort of attack.

1. Our endpoint agent or WMI query can make sure that a given device has all required security software installed on it. the agent can additionally make sure that anti malware and other software are running and updated, as well as making sure prohibited software is not installed. It is also possible to disable any unneeded network or device interfaces, or to disable any unauthorized installed. If the attack is attempted using an extra ethernet interface, the duplicate MAC can also be detected. This would mean an attacker would need to disconnect the interface to be spoofed / tapped from the network and attempt reauthentication. Unexpected changes in interface / 802.1x connection status may also be leveraged to mandate stricter security checks upon reauthentication. Similarly, any device can be quarantined in a vlan upon authentication via 802.1x, and then reassigned, after admin approval, or automated testing by an integrated system.This can effectively prevent the exploit itself from occurring.

2. Any abnormality in broadcast traffic or in response to Genian NAC’s scanning technology will identify that a node has changed platforms, or that there is general anomalous activity associated with the node. This can be used to trigger an enforcement action through arp enforcement, tcp reset/icmp unreachable message, endpoint agent action, snmp port shutdown, or RADIUS CoA. Additionally, Genian NAC can send outbound notice to other network security products to enhance our enforcement capabilities. Likewise we can receive inbound information from other external security systems to enhance our node information, or conduct enforcement on behalf of whatever system has detected a security risk.