NAC bypass with Basilisk - Automatic Ethernet Ghosting

REJR77 · ‎06-10-2026

Hello,

Some tools like Basilisk can permit attacker to bypass NAC (event EAP-TLS)

Basilisk - Automatic Ethernet Ghosting – Ringtail Security

Is there a way to detect these type of device on the network and block them with ISE or directly with the switch (witht some security add on)

the fist thing I can see would be to use Secure client and MACsec, but it is not always possible.

Do some of you already have to manage these type of Pentest tool?

regards

olasupoo · ‎06-10-2026

Hi REJR77,

The reason Basilisk works: 802.1X (EAP-TLS included) only authenticates the session at the start — it never checks that later frames really come from that endpoint. The tool bridges in transparently, lets the real device finish EAP-TLS, then rides the session by cloning its MAC and IP.

That's also why port-security, DHCP snooping, DAI and IP Source Guard all miss it — the attacker reuses the legitimate MAC/IP, so every binding still looks consistent.

The only hard stop is the one you named: MACsec (802.1AE/MKA, host-to-switch via Secure Client + ISE) — it protects every frame cryptographically, so an inline device can't inject without the keys. Limit is coverage: printers, IoT, older NICs.

Where MACsec can't reach, assume bypass is possible and detect by behaviour, not identity:

ISE profiling + Secure Network Analytics (Stealthwatch) — flag the "printer" that suddenly scans or runs SSH/SMB, then CoA-quarantine it via pxGrid.
Keep exposed ports on tight ACLs; shut or blackhole unused ones.

Bottom line: MACsec where you can, behavioural detection + physical security everywhere else. No switch add-on reliably catches a clean transparent bridge on its own — by design it looks exactly like the host it's hiding behind.