Technical Tip: How to disable public key authentication FortiNAC uses against modeled devices in Inventory
| Description | This article describes how to disable FortiNAC's ability to use public key authentication against devices. The setting can be disabled at a device level or a global level.
Note: As of FortiNAC vF7.2.9, F7.4.1 and v7.6.3, Public Key Authentication will be disabled by default. |
| Scope | FortiNAC-F v7.2 and above. |
| Solution | Workaround for earlier versions:
Option 2: Disable the setting per device (GUI Method - vF 7.6.2 and above):
Option 3: Disable the setting per device (CLI Method - All other versions):
Type:
device -ip <IP> -setAttr -name SSH_PUBLICKEY_AUTH_ENABLED -value "false" <----- Where <IP> is the actual IP of the modeled device to disable the setting. Example:
(This step is not required if Public Key Authentication was disabled via GUI in step 1.)
List existing SSH keys for the nac user (owner of the FortiNAC process). Type:
Example output:
Note: The name of the SSH key is the text before the ':' and is used in the remove command.
Example:
execute ssh-authentication-keys remove nac id_rsa Note: SSH public keys are automatically re-added upon FortiNAC services restart. Consequently, the keys must be removed after each restart. The behavior is due to an issue with the underlying SSH client and is fixed in vF 7.6.3. GA. |
