https://community.cisco.com/t5/network-access-control/nac-bypass-with-basilisk-automatic-ethernet-ghosting/m-p/5557781#M600555 <P>Hi REJR77,</P><P>The reason Basilisk works: 802.1X (EAP-TLS included) only authenticates the session at the start — it never checks that later frames really come from that endpoint. The tool bridges in transparently, lets the real device finish EAP-TLS, then rides the session by cloning its MAC and IP.</P><P>That's also why port-security, DHCP snooping, DAI and IP Source Guard all miss it — the attacker reuses the legitimate MAC/IP, so every binding still looks consistent.</P><P>The only hard stop is the one you named: <STRONG>MACsec (802.1AE/MKA, host-to-switch via Secure Client + ISE)</STRONG> — it protects every frame cryptographically, so an inline device can't inject without the keys. Limit is coverage: printers, IoT, older NICs.</P><P>Where MACsec can't reach, assume bypass is possible and detect by behaviour, not identity:</P><UL><LI><STRONG>ISE profiling + Secure Network Analytics (Stealthwatch)</STRONG><SPAN>&nbsp;</SPAN>— flag the "printer" that suddenly scans or runs SSH/SMB, then CoA-quarantine it via pxGrid.</LI><LI>Keep exposed ports on tight ACLs; shut or blackhole unused ones.</LI></UL><P>Bottom line: MACsec where you can, behavioural detection + physical security everywhere else. No switch add-on reliably catches a clean transparent bridge on its own — by design it looks exactly like the host it's hiding behind.</P> Wed, 10 Jun 2026 09:02:43 GMT olasupoo 2026-06-10T09:02:43Z https://community.cisco.com/t5/network-access-control/nac-bypass-with-basilisk-automatic-ethernet-ghosting/m-p/5557779#M600554 <P>Hello,</P><P>Some tools like Basilisk can permit attacker to bypass NAC (event EAP-TLS)</P><P><A href="https://ringtail.ch/products/basilisk-automatic-ethernet-ghosting" target="_blank">Basilisk - Automatic Ethernet Ghosting – Ringtail Security</A></P><P>Is there a way to detect these type of device on the network and block them with ISE or directly with the switch (witht some security add on)</P><P>the fist thing I can see would be to use Secure client and MACsec, but it is not always possible.</P><P>Do some of you already have to manage these type of Pentest tool?</P><P>regards</P> Wed, 10 Jun 2026 08:55:02 GMT https://community.cisco.com/t5/network-access-control/nac-bypass-with-basilisk-automatic-ethernet-ghosting/m-p/5557779#M600554 REJR77 2026-06-10T08:55:02Z https://community.cisco.com/t5/network-access-control/nac-bypass-with-basilisk-automatic-ethernet-ghosting/m-p/5557781#M600555 <P>Hi REJR77,</P><P>The reason Basilisk works: 802.1X (EAP-TLS included) only authenticates the session at the start — it never checks that later frames really come from that endpoint. The tool bridges in transparently, lets the real device finish EAP-TLS, then rides the session by cloning its MAC and IP.</P><P>That's also why port-security, DHCP snooping, DAI and IP Source Guard all miss it — the attacker reuses the legitimate MAC/IP, so every binding still looks consistent.</P><P>The only hard stop is the one you named: <STRONG>MACsec (802.1AE/MKA, host-to-switch via Secure Client + ISE)</STRONG> — it protects every frame cryptographically, so an inline device can't inject without the keys. Limit is coverage: printers, IoT, older NICs.</P><P>Where MACsec can't reach, assume bypass is possible and detect by behaviour, not identity:</P><UL><LI><STRONG>ISE profiling + Secure Network Analytics (Stealthwatch)</STRONG><SPAN>&nbsp;</SPAN>— flag the "printer" that suddenly scans or runs SSH/SMB, then CoA-quarantine it via pxGrid.</LI><LI>Keep exposed ports on tight ACLs; shut or blackhole unused ones.</LI></UL><P>Bottom line: MACsec where you can, behavioural detection + physical security everywhere else. No switch add-on reliably catches a clean transparent bridge on its own — by design it looks exactly like the host it's hiding behind.</P> Wed, 10 Jun 2026 09:02:43 GMT https://community.cisco.com/t5/network-access-control/nac-bypass-with-basilisk-automatic-ethernet-ghosting/m-p/5557781#M600555 olasupoo 2026-06-10T09:02:43Z