Network dumps were made in our lab environment with Mikrotik router.
When doing 802.1x over Ethernet, to EAPOL-start request Mikrotik replies to Nearest-non-TPMR-bridge instead of using MAC-address that sent the EAPOL-start request (like Cisco does).
Contains normal 802.1x flow with two different clients attempting 802.1x authentication:
[email protected]connects via WiFi[email protected]connects over Ethernet
Contains logs and captures of 802.1x flow when EAP-Mirror attack is executed:
[email protected]connects to rogue WiFi Access Point setup by Attacker ("EvilTwin")- Attacker is connected to Ethernet port and forwards
[email protected]authentication - Attacker is successfully authenticates as
[email protected]over Ethernet