Tap Mode: Bypassing 802.1X NAC with a Transparent Bridge

Network Access Control exists to keep unauthorized devices off the network. When it works, plugging a rogue device into a wall jack gets you nothing -- no IP address, no VLAN assignment, no route to anything useful. Tap mode on the Phantom is how you get past it. This article explains the techniques involved, the hardware requirements that make them work reliably, and why you cannot replicate this with consumer-grade hardware.

What Does NAC Actually Enforce?

Network Access Control typically relies on two mechanisms: 802.1X port-based authentication and MAC Authentication Bypass (MAB). Understanding both is necessary to understand why the bypass works.

802.1X Port-Based Authentication

In an 802.1X deployment, the switch port starts in an unauthorized state. No traffic passes except EAP (Extensible Authentication Protocol) frames between the device (the supplicant) and the switch (the authenticator). The supplicant presents credentials -- typically a machine certificate or user credentials -- which the switch forwards to a RADIUS server. If the RADIUS server approves, the switch transitions the port to an authorized state and optionally assigns a VLAN based on the RADIUS response. The device is now on the network.

The important detail: once the port is authorized, the switch does not re-authenticate on every frame. The session persists until the port link drops, the reauthentication timer expires (commonly 3600 seconds, sometimes longer), or the switch receives a RADIUS Change-of-Authorization (CoA) message. The session is identified by the port, not by continuous cryptographic verification of every frame.

MAC Authentication Bypass (MAB)

Not every device supports 802.1X. Printers, IP phones, cameras, and IoT devices often cannot run a supplicant. For these, MAB provides a fallback: the switch observes the device's MAC address and sends it to the RADIUS server as both username and password. If the MAC is in the allow list, the port is authorized. MAB is weaker than 802.1X because MAC addresses can be spoofed, but it is ubiquitous in enterprise environments because the alternative is giving up on NAC for half the devices on the network.

How Does the Transparent Bridge Technique Work?

The bypass is conceptually simple. You find an authenticated device on the network -- a printer, an IP phone, a conference room display -- and unplug it from the wall jack. You plug the wall jack into one of the Phantom's Ethernet ports (the "upstream" port facing the switch). You plug the original device into the other Ethernet port (the "downstream" port). The Phantom creates a transparent Layer 2 bridge between the two ports.

From the switch's perspective, the link never dropped. The bridge forwards all frames between the switch and the original device with the original device's source MAC addresses intact. The 802.1X session continues uninterrupted. The VLAN assignment stays the same. The switch sees the same MAC address on the same port, and the reauthentication timer is not reset because the link state did not change.

Here is the critical part: because the Phantom sits inline, it can now inject its own frames into the authenticated session. It uses the original device's MAC address as the source MAC, so the switch treats the frames as coming from the authenticated device. The Phantom is now on the network, in the correct VLAN, with full Layer 2 and Layer 3 access, without ever having authenticated.

Why Speed Matters

The bridge must forward frames at wire speed with minimal added latency. Several things break if it does not. First, many switches monitor port link state transitions -- if the link drops even briefly during the device swap, the switch resets the 802.1X session and the port returns to an unauthorized state. The Phantom's dual 2.5GbE ports are wired directly to the SoC, and the bridge is configured in the kernel before the ports are brought up. The swap window -- the time between unplugging the original device and completing the bridge -- must be under the switch's link-down detection threshold, which is typically 100-300 milliseconds.

Second, the original device (the printer, phone, etc.) may have timing-sensitive protocols running -- LLDP, CDP, STP BPDUs, keepalives. If the bridge adds enough latency to disrupt these, the switch may notice. USB-to-Ethernet dongles add 1-3 milliseconds of latency per frame due to USB bus overhead, which is enough to cause LLDP timing violations on some switches. The Phantom's native PCIe Ethernet ports add sub-microsecond latency, which is indistinguishable from a passive cable extension.

VLAN Hopping

Once you are on the network through the bridge, you are in whatever VLAN the original device was assigned. A printer VLAN may not be where the interesting targets live. VLAN hopping lets you reach other VLANs from your bridged position.

DTP Negotiation

Dynamic Trunking Protocol is Cisco's protocol for automatically negotiating trunk links between switches. If the switch port is configured in "dynamic auto" or "dynamic desirable" mode (which is the default on many Cisco switches), it will negotiate a trunk with any device that requests one. The Phantom can send DTP frames requesting trunk mode, and if the switch accepts, the port becomes a trunk carrying all VLANs. You now have Layer 2 access to every VLAN on that switch.

Properly configured networks disable DTP on access ports ("switchport mode access" plus "switchport nonegotiate"). In practice, many enterprise networks have at least some ports with DTP enabled because it was the default and nobody changed it. Tap mode automatically attempts DTP negotiation on the upstream port and reports the result to the dashboard.

802.1Q Double-Tagging

If DTP negotiation fails, 802.1Q double-tagging is the next option. This attack exploits the way switches process VLAN tags. You craft a frame with two 802.1Q tags: the outer tag matches the native VLAN of the trunk between switches, and the inner tag is the target VLAN you want to reach. When the first switch processes the frame, it strips the outer tag (because it matches the native VLAN) and forwards the frame with only the inner tag. The next switch sees the inner tag and forwards the frame to the target VLAN.

Double-tagging has a limitation: it is unidirectional. You can send frames to the target VLAN, but responses come back on the target VLAN and will not reach you on the native VLAN (unless you have also set up a route or a second bridge). It is most useful for one-shot attacks -- injecting a rogue DHCP response, sending a crafted SMB packet, or planting a Responder instance -- where you do not need bidirectional communication. Tap mode handles the frame crafting automatically; you specify the target VLAN in the dashboard and the Phantom generates the double-tagged frames.

Why Can't You Do This with a Raspberry Pi?

The most common improvised drop box is a Raspberry Pi with two USB-to-Ethernet adapters. It fails at this specific task for several concrete reasons:

• No native dual Ethernet. Both ports go through USB. The Pi 4 has a single native Gigabit port on the SoC, but adding a second requires USB 3.0 adapters. Bridging two USB Ethernet devices introduces enough latency to disrupt 802.1X session inheritance on most enterprise switches.
• Link state detection. USB Ethernet adapters have a measurably slower link-up time than native ports. The swap window -- the time the switch sees the link as down -- is typically 500-1500 milliseconds with USB adapters versus under 100 milliseconds with native ports. Many switches will reset the 802.1X session in that window.
• Frame forwarding rate. A Pi 4 bridging two USB Ethernet adapters maxes out around 300-400 Mbps of throughput due to USB bus saturation. On a 1 Gbps port, this means dropping frames under load, which is visible to any monitoring system watching for port utilization anomalies.
• No 2.5GbE. An increasing number of enterprise switches have 2.5 or 5 Gbps access ports. A Pi with USB Gigabit adapters creates a bottleneck that changes the observed port speed, which is logged by most switch management platforms.

What Happens After You Are On the Network?

With Tap mode active and the bridge established, the Phantom has a foothold in the target VLAN. From here, the other modes take over. Venom mode begins credential harvesting -- Responder, NTLM relay, mitm6 -- all operating within the authenticated VLAN. Scope mode captures all traffic crossing the bridge for passive analysis. If you achieved VLAN hopping, you can run attacks against multiple VLANs simultaneously.

The bridge also provides a passive tap on all traffic between the original device and the switch. This traffic is mirrored to the local PCAP buffer and, if bandwidth permits, streamed over 4G to your dashboard in real time. In environments where the bridged device handles sensitive traffic (a VoIP phone in an executive's office, for example), this passive capture alone can be the highest-value output of the engagement.

All of this happens without the Phantom ever authenticating to the network. The switch thinks it is still talking to the original device. The RADIUS server never saw a new authentication request. The NAC system's logs show nothing unusual. That is the point.