Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
FortiKoala
Staff
Staff

Created on ‎09-28-2018 03:31 AM Edited on ‎10-21-2024 06:26 AM By Moderator

Article Id 196810

Troubleshooting Tip: Troubleshooting CLI credential failure

Description

 

This article describes how to resolve an issue where, when selecting the Validate Credentials button in Model Configuration, the following message appears:

 

SNMP connect succeeded.  However, the device failed to connect using CLI credentials.
The device either does not support a CLI or credentials are invalid.


Scope

 

FortiNAC, FortiNAC-F

Solution

 

  1. Verify the Protocol Type in the switch's Model Configuration is set appropriately (Telnet, SSH1 or SSH2).  For example, if the Type is set to Telnet, ensure Telnet is enabled on the switch.   

  2. Verify the CLI credentials in the Model Configuration match those set in the switch itself. Note the following:
  • The user account must have the appropriate permissions configured on the device.
  • If no enabled password is configured in the switch for that user account (example: level 15 accounts), the Enable Password field in the Model Configuration must be left blank. 
  • Arista switches can be configured to require typing 'enable' to enter enable mode, but no password is needed. For such configurations, populate the Enable Password field with the # character (requires version 8.7.2 or higher).  For more details, see this article. 
  1. Attempt to access the switch using the same credentials and Protocol Type set in Model Configuration.  If it is not possible, use another device in the same subnet as the Control Server.  Enter the following:
 
ssh <userid>@<device IP address>
telnet <device IP address>

 


If the connection attempt results in a 'connection refused' message, the port may be getting blocked somewhere on the network or the function may be disabled in the switch.

 
If the connection attempt succeeds and the switch is modelled using SNMP v3, the switch may not be responding to SNMP queries for the sysDescription OID (1.3.6.1.2.1.1.1.0).  For more details, see this article.
 
Debugging.
 
If the behavior persists, further debugging may be required. 
To investigate the problem enable the following debugs in FortiNAC CLI:
 
FortiNAC (CentOS)
 
logs
    nacdebug -logger org.apache.sshd -level FINEST
    nacdebug -name TelnetServer true
tf output.master
 
FortiNAC-F (NACOS) 
 

diagnose debug plugin enable TelnetServer

diagnose debug logger set finest org.apache.sshd
diagnose tail -F output.master
 

After debugs are enabled, again 'Validate Credentials' again from the FortiNAC model configuration and investigate the output.

Press Ctrl+C to stop tail output when finished.

 
Disable debugging.
 

FortiNAC (CentOS):

 

logs

nacdebug -logger org.apache.sshd 

nacdebug -name TelnetServer false

 

FortiNAC-F (NACOS):
 

diagnose debug plugin disable TelnetServer

diagnose debug logger unset org.apache.sshd

Open a support ticket and provide the following information:
 
 

Related articles:

Labels:
8372
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.