Help
FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
Hatibi
Staff & Editor
Staff & Editor

Created on ‎11-27-2025 03:14 AM

Article Id 420750

Troubleshooting Tip: FortiGate L2 poll failure due to password expiration policy on CLI account

Description This article describes how to troubleshoot and identify L2 poll failures caused by the password expiration policy on the CLI account.
Scope FortiNAC-F v7.6, FortiGate.
Solution

L2 polling is a critical function of FortiNAC, which relates to visibility. It is used to collect Location information and also update the Host's online state. When L2 polling fails, FortiNAC will report the host as offline, and no control will be applied to that endpoint location.

 

FortiNAC uses a CLI account configured on the network device to establish an SSH session and read the MAC address table.

If accounts are configured with a password expiration policy, the user will be prompted to change the password after the expiration period has passed or in case the user account has an option such as 'Force Password Change' enabled. Reference documentation for the Password policy.

 

To identify the issue in FortiNAC-F, enable the following debugs in CLI:

 

naclab1 # diagnose debug plugin enable TelnetServer

naclab1 # diagnose debug logger set trace org.apache.sshd
naclab1 # diagnose tail -F output.master

 

Select 'Validate Credentials' in the FortiGate Model configuration in FortiNAC inventory.

 

CLI output will show the following event logs:


2025-11-27 11:20:28.205 +0100 [sshd-SshClient[1bae598e]-nio2-thread-2] TRACE o.a.sshd.client.channel.ChannelShell - handleData(ChannelShell[id=0, recipient=0]-ClientSessionImpl[Test@/10.10.10.1:22]) [chunk #1](54/54)  20 4f 6c 64 20 70 61 73 73 77 6f 72 64 3a 20 You.are.forced.to.change.your.password..Old.password:.

 

The prompt to change the password will prevent FortiNAC from fetching data, and it will time out.

These cases have issues with visibility and, as a result, with control operations.

 

It is recommended to have a password that never expires for FortiNAC integration.

If there is a global password policy that applies to all accounts, it is possible to unset the expiration for specific accounts in FortiGate CLI.

 

Account settings in FortiGate:

 

config system admin
    edit "Test"
        set accprofile "super_admin"
        set vdom "root"
        set password-expire 2026-02-25 10:08:53
        set password ENC xxxx
    next
end

 

To disable the option in FortiGate cli:

 

config system admin

    edit "Test"

        unset password expire

end

 

Related documents:

Technical Tip: Troubleshooting Poll failures

Password Policy
58
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.