A system that includes a threat management server configured to store a device log identifying location information for endpoint devices that have passed authentication. The threat management server identifies a first instance and a second instance of an endpoint device in the device log file. The threat management server identifies a first switch connected to the first instance of the endpoint device and a second switch connected to the second instance of the endpoint device. The threat management server sends location information request to the first switch and the second switch requesting location information for the first instance and the second instance of the endpoint device, respectively. The threat management server compared the received location information to the information in the device log file to identify a spoofed instance of the endpoint device and blocks the spoofed instance of the endpoint device from accessing the communications network.