The GUI 'Clear Known Host' feature does not correctly handle hosts using non-default SSH ports (e.g., 2222). Although the command returns a successful status, the known host entry remains unchanged.

Figure 1. Clear Known Host from the FortiNAC GUI.

 
Figure 2. Successful output from FortiNAC GUI.

Verify the following information in the FortiNAC CLI:

FortiNAC_CLI # execute ssh-known-hosts show nac
192.168.5.1 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAy

NTYAAABBBFrI2LuZz+6EFUYnAdD1UgrDQ9cJF2+A+JzGou1DmYK4zxZmJw

SKLki2PDHSc8wKKZAlgba8Kec1DYx8XjbwDU4=

[192.168.1.1]:2222 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTY

AAAAIbmlzdHAyNTYAAABBBL6a6NdBAMRuEVcH2uwAvYPTZOuPavGVjjgooRyPR/Oaayu7y

8hPCLWSSSGYIRvxI8yf7S8nmwsF4WUbu5eqO8c=

Log in to the FortiNAC-F CLI and run the following commands:

FortiNAC_CLI# execute enter-shell

FortiNAC_CLI:~$ sudo /bsc/campusMgr/bin/internal/knownHosts remove <username> [<host>]:<port>

For example:

FortiNAC_CLI:~$ sudo /bsc/campusMgr/bin/internal/knownHosts remove nac [192.168.1.1]:2222
# Host [192.168.1.1]:2222 found: line 5
/bsc/.ssh/known_hosts updated.
Original contents retained as /bsc/.ssh/known_hosts.old

Verify from the FortiNAC CLI:

FortiNAC_CLI # execute ssh-known-hosts show nac
192.168.5.1 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAAB

BBFrI2LuZz+6EFUYnAdD1UgrDQ9cJF2+A+JzGou1DmYK4zxZmJwSKLki2PDHSc8wKKZAlgba8Kec1DYx8XjbwDU4=