MAC+IP Clones ============= Genian NAC can detect MAC / IP theft in a variety of ways. The Network Sensor periodically sends an ARP request to check the operation status of Nodes. If two MAC's answer to a request for one IP, Genian NAC designates the more recently detected Node as a critical Node. In addition, if the user changes the MAC on the endpoint where the Agent is installed and the MAC is already being used by another device, that device is then designated as a critical Node. Genian NAC provides industry-leading platform detection to detect when a Node is changing to another platform, allowing administrators to see when changes are made, and to block devices when unauthorized platform changes are detected. Configure Settings for MAC+IP Clones in Anomaly Definition ---------------------------------------------------------- #. Go to **Policy** in the top panel. #. Go to **Policy > Node Policy > Anomaly Definition** in the left Policy panel. #. Click **MAC+IP Clones.** #. Find **Anomaly Event** section to configure more options. - For **MAC Spoofing Detection**, optional setting to specify whether an interface's MAC address is manually changed is also detected. #. Click **Update** Create Node Group For MAC+IP Cloned ----------------------------------- #. Go to **Policy** in the top panel. #. Go to **Policy > Group > Node** in the left Policy panel. #. Click on **Tasks > Create** #. For **ID:** MAC+IP Cloned. #. For **Status:** Enabled. #. For **Boolean Operator** select **OR.** #. Find and click on **Add** in **Condition** section. #. For each **Anomaly** you want to add use the followings: - **Options:** Anomaly - **Operator:** Detected is one of - **Value:** MAC+IP Clones #. Click **Add.** #. Keep adding **Conditions** as needed. #. Click **Save.**