Technical Tip: CLI access fails due to SNMP v3 permissions
Description
This article describes how to investigate issues where the device fails CLI credential validation in Administration UI.
SSH access via CLI, however, is successful using the same credentials.
Scope
FortiNAC, FortiNAC-F.
Solution
Enable the TelnetServer plugin using FortiNAC CLI:
FortiNAC (CentOS):
logs
nacdebug -name TelnetServer true
tf output.master
FortiNAC-F (NACOS):
diagnose debug plugin enable TelnetServer
The issue is that FortiNAC must be able to read the sysDescription OID (1.3.6.1.2.1.1.1.0).
- This OID contains certain information (such as IOS version for Cisco devices) which is used to determine how to characterize and manage the device.
- If the device does not respond to queries for this OID, the appropriate set of CLI commands to use cannot be determined.
To determine if the sysDescription can be read, query the OID via the appliance CLI using the snmpwalk tool:
FortiNAC (CentOS)
snmpwalk -v 3 -u <username> -l <AuthPriv or NoAuthPriv> -a <MD5 or SHA> -A <password> -x <DES or AES> -X <password> <device ip_address> 1.3.6.1.2.1.1.1.0
<oid> OID value to manipulate data through snmp4j commands
--c, --context <context> The context value
--debug Turns on detailed debug
--bulk Does a bulk get instead of a getNext
Example of a normal response:
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Fri 25-Mar-16 16:59 by mcpre
SNMPv2-MIB::sysDescr.0 = No Such Object available on this agent at this OID
When such error is presented, ensure the SNMP v3 permissions on the device allow for access to sysDescription OID (1.3.6.1.2.1.1.1.0).
Related articles: