Technical Tip: Retrieve supported SSH algorithms via FortiNAC-OS CLI

cmaheu · ‎01-23-2025

Description

This article describes how to retrieve the list of algorithms and ciphers FortiNAC uses for SSH communication with network devices. This is done using the CLI.

It is suggested to log the session output to a text file for review later. For FortiNAC servers running on CentOS, see article 228553

Scope

FortiNAC-F, vF7.x

Solution

Enable debug. Log in to the FortiNAC-OS CLI as admin and run the appropriate commands below:

FortiNAC vF7.2, vF7.4:

diagnose debug logger set finest org.apache.sshd

diagnose tail -F output.master

FortiNAC vF7.6 +:

diagnose debug logger set trace org.apache.sshd

diagnose tail -F output.master

Initiate SSH session to the network device (such as selecting the Validate Credentials button in the device model under Network -> Inventory in FortiNAC UI).
Type Ctrl C to stop tail. Disable logging:

diagnose debug logger unset org.apache.sshd

Review the output.master log. Log entries will contain the list of algorithms that are being negotiated between the client (FortiNAC) and the server (Device). Algorithms are listed in blue below.

Kex algorithms:

org.apache.sshd.client.session.ClientSessionImpl FINEST :: 2025-01-23 13:21:56:310 :: #1141 :: negotiate(ClientSessionImpl[admin@/192.168.2.1:22])[kex algorithms] guess=diffie-hellman-group14-sha256 (client=diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group15-sha512,diffie-hellman-group16-sha512,diffie-hellman-group17-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ext-info-c / server=diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521)

Ciphers (encryption algorithms):

org.apache.sshd.client.session.ClientSessionImpl FINEST :: 2025-01-23 13:21:56:310 :: #1141 :: negotiate(ClientSessionImpl[admin@/192.168.2.1:22])[encryption algorithms (client to server)] guess=aes256-ctr (client=chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc / server=aes256-ctr,aes256-gcm@openssh.com)

MAC Algorithms:

org.apache.sshd.client.session.ClientSessionImpl FINEST :: 2025-01-23 13:21:56:310 :: #1141 :: negotiate(ClientSessionImpl[admin@/192.168.2.1:22])[mac algorithms (client to server)] guess=hmac-sha2-256-etm@openssh.com (client=hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 / server=hmac-sha2-256,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-512-etm@openssh.com)

The following are supported as of FortiNAC versions F 7.2.8, F 7.4.1 and F 7.6.1.

--Kex--

diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group15-sha512
diffie-hellman-group16-sha512
diffie-hellman-group17-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
curve25519-sha256@libssh.org
curve448-sha512

--Ciphers--

3des-cbc
aes128-cbc
aes128-ctr
aes128-gcm@openssh.com
aes192-cbc
aes192-ctr
aes256-cbc
aes256-ctr
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com

--MAC--

hmac-sha1
hmac-sha1-etm@openssh.com
hmac-sha2-256
hmac-sha2-256-etm@openssh.com
hmac-sha2-512
hmac-sha2-512-etm@openssh.com

Technical Tip: Retrieve supported SSH algorithms via FortiNAC-OS CLI

You are leaving our website