Help
FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
ltusen
Staff
Staff

Created on ‎09-02-2025 09:55 PM Edited on ‎09-03-2025 05:26 AM By Moderator

Article Id 409068

Troubleshooting Tip: Validate Credentials not working for FortiGate

Description

This article describes how to resolve an issue when selecting the Validate Credentials button under the Credentials tab of a FortiGate, and the following message appears:


SNMP connect succeeded.  However, the device failed to connect using CLI credentials.
The device either does not support a CLI or credentials are invalid.

 

Here’s a breakdown of the symptoms:

  1. SNMP Connectivity Successful: FortiNAC recognizes the device through SNMP without any issues.
  2. CLI Connection (SSH) Fails with Validation: When attempting to validate CLI credentials on FortiNAC, the connection fails even though the credentials are accurate.
  3. The Show Events for the FortiGate device could be showing the following errors:


L2 Poll Failed.
REST API Failure.
Telnet Server Timeout.
SSH Key invalid for FortiGate device.
Scope FortiNAC v8.x, v9.x and FortiNAC-F v7.2.x, v7.4.x,v 7.6.x and above.
Solution
  1. Navigate to FortiNAC Admin UI -> Network -> Inventory -> Select the FortiGate -> Credentials tab and remove the FortiGate device from the SSH Known Hosts List by selecting the 'Clear Known Host' button.
  2. Validate the FortiNAC Service Account has the appropriate permissions configured and set as 'Super Admin' on the local FortiGate.
  3. The password expiration for the FortiNAC Admin account configured on the local FortiGate device must be disabled. To disable password expiration for a specific admin account in the FortiGate, refer to: Technical Tip: How to enable/disable password expiration for specific FortiManager admin user.  The REST-API Admin Account must be created on the FortiGate device. If the REST-API Admin account is missing, refer to the KB ARTICLE below to configure it: Technical Tip: How to configure & use API token to communicate with FortiGate.
  4. For more information, refer to Troubleshooting Tip: Troubleshoot FortiGate REST API access in a FortiNAC integration.
  5. Log into the FortiNAC CLI and attempt to ping and access the FortiGate device using SSH with the same CLI credentials and Protocol Type set under the Credentials tab in the FortiNAC Inventory. If the SSH custom port is being used other than the default 22, enter one of the following commands accordingly:

FortiNAC (CentOS) v8.x,v 9x:

 

ping <FortiGate-IP-Address>   <-- The ping test must be successful.

ssh <userid>@<FortiGate IP Address>

ssh <userid>@<FortiGate IP Address> <custom-ssh-port>

 

FortiNAC-F (NacOS) v7.2.x, v7.4.x, v7.6.x:

execute ping <FortiGate-IP-Address>   <-- The ping test must be successful.

execute ssh <userid>@<FortiGate IP Address>

execute ssh <userid>@<FortiGate IP Address> <custom-ssh-port>

When prompted to accept the fingerprint, type 'Yes' and press Enter on the confirmation dialog to continue. This will re-add the FortiGate device to the SSH Known Hosts list with a new SSH key in FortiNAC.

Resync Interfaces for the FortiGate. Navigate to Network -> Inventory -> Select the FortiGate device and select Resync Interfaces. Then select 'Yes' on the confirmation dialog to continue.

Test the credentials validation again under the Credentials tab. The test should be successful.

 

Related articles:

Troubleshooting Tip: Troubleshooting CLI credential failure

Troubleshooting Tip: CLI credential validation fails in device integrations using a VIP

Troubleshooting Tip: Troubleshoot FortiGate REST API access in a FortiNAC integration

Technical Tip: How to configure & use API token to communicate with FortiGate
66
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.