Skip to main content
Sheikh
Staff
Sheikh
Staff
April 30, 2026

Technical Tip: How to allow newly created admin users to log in to FortiNAC-F via CLI

  • April 30, 2026
  • 0 replies
  • 39 views

Description

This article describes how to enable newly created admin users to access the FortiNAC-F CLI/console.

Scope

FortiNAC-F (all supported versions of NACOS).

Solution

In FortiNAC-F, GUI administrator accounts and CLI administrator accounts are separate entities.

As stated in the CLI Console section of the Administration guide:

  • The CLI console requires a separate login from GUI credentials.

This means:

  • A user created in the GUI (Admin UI) cannot automatically be used for:

    • SSH login.

    • Console login.

    • CLI console access within the GUI.

  • CLI access requires separate credentials and configuration.

  • There is no automatic synchronization between GUI and CLI user databases.

After creating an admin account via the GUI console, the following error will appear when attempting to log in to the CLI/console access.


714f6d96.png


Step 1: Create or modify CLI admin user:


To allow CLI access, the admin account must be created or configured from the CLI itself.


# config system admin
# edit <username>
# set password <password>
# end


Notes:

  • Use the same username for CLI admin as the GUI admin account if desired.

  • This creates a CLI admin user only, not a GUI admin.

  • GUI and CLI accounts remain independent even if usernames match.

  • The config system admin context is the official method to manage CLI users.


Step 2: Ensure SSH access is enabled.


Even with a valid CLI user, login will fail if SSH access is not enabled on the interface.

Verify and enable SSH:


config system interface
    edit port1
        set allowaccess ssh <-----------------
end


Important:

  • Confirm that SSH is enabled on the correct interface (e.g., port1) by running this command in the FortiNAC-F CLI.


show system interface


  • Adjust the interface settings as per requirement

  • It may be necessary to use 'append allowaccess ssh' because if there are already some other protocols enabled, 'set allowaccess ssh' will remove other protocols from the list.

  • Another option is to use the 'set allowaccess' command with ssh added and all protocols already enabled.


config system interface
    edit port1
        set allowaccess dhcp dns fsso http http-adminui https https-adminui nac-agent nac-ipc snmp ssh <-------------------
    end


Summary:

  • GUI-created admin users cannot log in to the CLI by default.

  • CLI access requires separate user configuration via the CLI.

  • GUI and CLI accounts are not synchronized.

  • SSH access must be explicitly enabled on the interface.


This behavior is expected by design in FortiNAC-F and ensures proper separation between administrative access methods, improving security and access control.


Related articles:

      Terms & ConditionsAccessibility statement