Network Access Control (NAC) is a system meant to restrict device access to the internal network. It disallows unauthorized or "unhealthy" devices from connecting. "Unhealthy" devices are ones that do not have the latest antivirus update, security patch, proper firewall setting, security policy settings, etc. Usually unauthorized or unhealthy devices are redirected to a captive guest portal where they remain quarantined in a separate VLAN until they are given authorization or they remediate all of their issues. For NAC to work, it requires infrastructure devices to enforce the restrictions. These enforcers are typically points of entry such as a network switch, a WAP, or a remote access/VPN server. They can also be DHCP servers. Enforcers relay client connection requests to the Network Policy Server (NPS) and then permit or deny the connection based on the decision based on the NPS.

Although a pen tester might be able to make unauthorized changes to the NPS, this would entail a lot of work. There are a few easier ways to try to bypass NAC. The most common include:

  • Spoofing the MAC and IP addresses of a device that cannot natively participate in NAC, such as a VoIP phone or printer. These devices will be whitelisted by the administrator, and often there is no mechanism to verify that MAC address truly belongs to the device.
  • Using IPv6 rather than IPv4 on the unauthorized device. Most servers have IPv6 addresses by default, and are running IPv6, but administrators still forget to include IPv6 rules in firewalls and NAC policy.
  • Using a rogue wireless access point to get an authorized device to connect with an attacker machine. The attacker machine compromises the authorized device, then uses it to relay malicious traffic into the protected network.
Spoofing the MAC of an approved device to bypass NAC