[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More


Bypassing network access control (NAC)

Published on
5,369 Points
Last Modified:
NAC solutions are thought by some to be a magic bullet; however this is not the case.

This article contains sensitive information which is well known in the information security industry (at least for experts); however is not well known to the IT industry.

This article is not hacking. It merely showcases how simple configurations prohibit the NAC from protecting your network. This article does not discuss methods of bypassing 802.1x.

NAC verify the computer's / devices in various manners including, but not limited to:
  • MAC address
  • WMI queries
  • Installed applications and configurations (includes domain membership)
Most NAC solutions can be bypassed in several fashions:

Hub (not switch!)
  1. Connect a valid computer/device to the hub
  2. Connect the hub to the network
  3. Once verified (or after a couple of minutes) proceed to the next step
  4. Modify your network adaptor MAC address and IP address to match the valid computer
  5. Enjoy!
However this method produces TCP resets and as such is easy to locate and produces noise over the network. When using the Hub method the invalid computer sends out TCP SYN requests and the replies to it are sent back to both the valid and invalid computer; at this point the valid computer sends out a reset packet (because it isn't expecting that connection) and a race condition begins where one computer tries to reset the connection and the other tries to continue the connection. This situation allows for easier forensics and worse connections.

The second fashion:

  1. Configure the router (with NAT and PAT enabled) to router all incoming ports to a specific port (e.g. port 1) / to a specific IP (e.g.
  2. Connect the valid computer/device to the router (port 1).
  3. If forwarding using IP address the IP address configured in step one should be the first one the router DHCP issues, verify the valid computer/device received it
  4. Connect the WAN port to the network
  5. Once verified (or after a couple of minutes) proceed to the next step
  6. Connect your computer to an unused port on the router
  7. Enjoy!
Finding a circumvention performed in this fashion is not possible unless the router's WAN port hasn't
been changed (for example, if your company uses ABC network cards, and you see one from DEF Network Card, Inc, that should raise a flag).

There are expensive solutions such as MAG SEC that can close the problem but that's not really NAC and usually not feasable.
1 Comment
LVL 38

Expert Comment

by:Rich Rumble
You can also clone the MAC address of "dumb" equipment such as a printer/copier. They are often whitelisted and or allowed to bypass 802.1x based on MAC alone. Another method is to use an Ad-hoc network on an authorized host. If you find a laptop or someones phone/tablet with an ad-hoc you can often join it with little trouble, then you are proxied via the authorized device.

Featured Post

Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

Join & Write a Comment

A query can call a function, and a function can call Excel, even though we are in Access. This is Part 2, and steps you through the VBA that "wraps" Excel functionality so we can use its worksheet functions in Access. The declaration statement de…
Microsoft Office 365 Backup and Restore Solution by SysTools to export Office 365 mailbox to PST / EML file format on Windows OS. On Mac, tool backup O365 to PST / MBOX / MSG / EML / EMLX file formats. Not only this, restore option helps to import s…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month