Bypassing network access control (NAC)

NAC solutions are thought by some to be a magic bullet; however this is not the case.

This article contains sensitive information which is well known in the information security industry (at least for experts); however is not well known to the IT industry.

This article is not hacking. It merely showcases how simple configurations prohibit the NAC from protecting your network. This article does not discuss methods of bypassing 802.1x.

NAC verify the computer's / devices in various manners including, but not limited to:
  • MAC address
  • WMI queries
  • Installed applications and configurations (includes domain membership)
Most NAC solutions can be bypassed in several fashions:

Hub (not switch!)
  1. Connect a valid computer/device to the hub
  2. Connect the hub to the network
  3. Once verified (or after a couple of minutes) proceed to the next step
  4. Modify your network adaptor MAC address and IP address to match the valid computer
  5. Enjoy!
However this method produces TCP resets and as such is easy to locate and produces noise over the network. When using the Hub method the invalid computer sends out TCP SYN requests and the replies to it are sent back to both the valid and invalid computer; at this point the valid computer sends out a reset packet (because it isn't expecting that connection) and a race condition begins where one computer tries to reset the connection and the other tries to continue the connection. This situation allows for easier forensics and worse connections.

The second fashion:

  1. Configure the router (with NAT and PAT enabled) to router all incoming ports to a specific port (e.g. port 1) / to a specific IP (e.g.
  2. Connect the valid computer/device to the router (port 1).
  3. If forwarding using IP address the IP address configured in step one should be the first one the router DHCP issues, verify the valid computer/device received it
  4. Connect the WAN port to the network
  5. Once verified (or after a couple of minutes) proceed to the next step
  6. Connect your computer to an unused port on the router
  7. Enjoy!
Finding a circumvention performed in this fashion is not possible unless the router's WAN port hasn't
been changed (for example, if your company uses ABC network cards, and you see one from DEF Network Card, Inc, that should raise a flag).

There are expensive solutions such as MAG SEC that can close the problem but that's not really NAC and usually not feasable.

Comments (1)

Rich RumbleSecurity Samurai
Top Expert 2006

You can also clone the MAC address of "dumb" equipment such as a printer/copier. They are often whitelisted and or allowed to bypass 802.1x based on MAC alone. Another method is to use an Ad-hoc network on an authorized host. If you find a laptop or someones phone/tablet with an ad-hoc you can often join it with little trouble, then you are proxied via the authorized device.

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.