Bypassing network access control (NAC)

Published on
5,232 Points
Last Modified:
NAC solutions are thought by some to be a magic bullet; however this is not the case.

This article contains sensitive information which is well known in the information security industry (at least for experts); however is not well known to the IT industry.

This article is not hacking. It merely showcases how simple configurations prohibit the NAC from protecting your network. This article does not discuss methods of bypassing 802.1x.

NAC verify the computer's / devices in various manners including, but not limited to:
  • MAC address
  • WMI queries
  • Installed applications and configurations (includes domain membership)
Most NAC solutions can be bypassed in several fashions:

Hub (not switch!)
  1. Connect a valid computer/device to the hub
  2. Connect the hub to the network
  3. Once verified (or after a couple of minutes) proceed to the next step
  4. Modify your network adaptor MAC address and IP address to match the valid computer
  5. Enjoy!
However this method produces TCP resets and as such is easy to locate and produces noise over the network. When using the Hub method the invalid computer sends out TCP SYN requests and the replies to it are sent back to both the valid and invalid computer; at this point the valid computer sends out a reset packet (because it isn't expecting that connection) and a race condition begins where one computer tries to reset the connection and the other tries to continue the connection. This situation allows for easier forensics and worse connections.

The second fashion:

  1. Configure the router (with NAT and PAT enabled) to router all incoming ports to a specific port (e.g. port 1) / to a specific IP (e.g.
  2. Connect the valid computer/device to the router (port 1).
  3. If forwarding using IP address the IP address configured in step one should be the first one the router DHCP issues, verify the valid computer/device received it
  4. Connect the WAN port to the network
  5. Once verified (or after a couple of minutes) proceed to the next step
  6. Connect your computer to an unused port on the router
  7. Enjoy!
Finding a circumvention performed in this fashion is not possible unless the router's WAN port hasn't
been changed (for example, if your company uses ABC network cards, and you see one from DEF Network Card, Inc, that should raise a flag).

There are expensive solutions such as MAG SEC that can close the problem but that's not really NAC and usually not feasable.
1 Comment
LVL 38

Expert Comment

by:Rich Rumble
You can also clone the MAC address of "dumb" equipment such as a printer/copier. They are often whitelisted and or allowed to bypass 802.1x based on MAC alone. Another method is to use an Ad-hoc network on an authorized host. If you find a laptop or someones phone/tablet with an ad-hoc you can often join it with little trouble, then you are proxied via the authorized device.

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

Join & Write a Comment

Check How effective MS Exchange Expert thinks Exchange Mailbox Recovery by SysTools IS. Visit the Official site to get detailed information:- https://www.systoolsgroup.com/exchange-recovery.html (https://www.systoolsgroup.com/exchange-recovery.h…
If you, like me, have a dislike for using Online Subscription anti-spam services, then this video series is for you. I have an inherent dislike of leaving decisions such as what is and what isn't spamming to other people or services for me and insis…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month