Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
Jean-Philippe_P
Moderator
Moderator

Created on ‎08-01-2023 06:05 AM Edited on ‎08-01-2023 06:07 AM

Article Id 266928

Technical Tip: Add a Huawei Switch (over SNMPv3) and SSH to the FortiNAC

Description This article describes how to add a Huawei Switch (over SNMPv3) and SSH to the FortiNAC.
Scope

Huawei S5735-L8P4S-QA1 V200R022C00SPC500.

FortiNAC v9.4.3.0752.
Solution
  1. Huawei Switch SNMP Configuration.
    1. Log in to the switch.
    2. Add the following configuration (input the private variables with the '<>' lines):
snmp-agent
snmp-agent local-engineid <own ID>
snmp-agent sys-info contact <name>
snmp-agent sys-info location <location>
snmp-agent sys-info version v3
snmp-agent group v3 <group-name> privacy read-view isoview write-view isoview notify-view isoview
snmp-agent target-host trap address udp-domain <ip> params securityname <name> v3 privacy
snmp-agent mib-view included isoview iso
snmp-agent usm-user v3 <name>
snmp-agent usm-user v3 <name> group <group-name>
snmp-agent usm-user v3 <name> authentication-mode sha2-256 <password>
snmp-agent usm-user v3 <name> privacy-mode aes256 <password>
snmp-agent trap source <interface>
snmp-agent trap enable
undo snmp-agent protocol source-status all-interface
snmp-agent protocol source-interface <interface>
undo snmp-agent protocol source-status ipv6 all-interface
 
  1. Huawei Switch AAA Configuration.
    1. Log in to the switch.
    2. Add the following configuration (input the private variables with the '<>' lines):

    aaa

    local-user <username> password irreversible-cipher <password>
    local-user <username> privilege level 15
    local-user <username> ftp-directory flash:
    local-user <username> http-directory flash:
    local-user <username> service-type telnet terminal ssh ftp http

     

  1. SSH Configuration.

    1. Log in to the switch.
    2. Add the following configuration (input the private variables with the '<>' lines):
    ssh user <username>
    ssh user <username> authentication-type password
    ssh user <username> service-type all
    ssh user <username> sftp-directory flash:
    ssh client first-time enable
    ssh server-source -i <interface>
    ssh server cipher aes256_ctr aes128_ctr
    ssh server hmac sha2_256
    ssh server key-exchange dh_group16_sha512 dh_group15_sha512 dh_group14_sha256 dh_group_exchange_sha256
    ssh client cipher aes256_ctr aes128_ctr
    ssh client hmac sha2_256
    ssh client key-exchange dh_group16_sha512 dh_group15_sha512 dh_group14_sha256 dh_group_exchange_sha256
    ssh server dh-exchange min-len 2048

    Note that if this configuration does not work, run the following command first:

    'ssh server publickey ecc'


    Issues can occur and FortiNAC cannot connect. In the Unix terminal of the FortiNAC, an SSH session could be established, but under the inventory view, it is giving an error that it cannot connect over SSH. After adding ECC to the public key config, it will work.

     

  2. MAC Trap Notification.

    On an access switch, it is possible to configure the switch to send a MAC Notification trap once a MAC address is learned. To configure this on a Huawei switch, run the following command:

     

    interface gigabitethernet <slot>/<slot>/<port>

    mac-address trap notification learn

     

  3. FortiNAC Configuration.

    1. Login to the FortiNAC.
    2. Navigate to Network -> Inventory, select the container, and select 'Add'.
    3. Configure the parameters the same as the configuration on the Huawei switch.
    4. Validate the credentials and select 'OK'.
1584
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.