Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
FortiKoala
Staff
Staff

Created on ‎10-01-2018 04:26 AM Edited on ‎10-21-2024 07:11 AM By Moderator

Article Id 197689

Technical Tip: CLI access fails due to SNMP v3 permissions

Description

 

This article describes how to investigate issues where the device fails CLI credential validation in Administration UI. 

SSH access via CLI, however, is successful using the same credentials.

 

Scope

 

FortiNAC, FortiNAC-F.

 

Solution

 

Enable the TelnetServer plugin using FortiNAC CLI:

 

FortiNAC (CentOS):

 

logs

nacdebug -name TelnetServer true

tf output.master

 

FortiNAC-F (NACOS):

 

diagnose debug plugin enable TelnetServer

diagnose tail -F output.master
 
After the debugs are enabled, select 'Validate Credentials' in the Administration UI.
Error logs in output.messages show the following:
 
error reading sysDescr from <vendor> device <device ip address>
telnet server getfailed

 

The issue is that FortiNAC must be able to read the sysDescription OID (1.3.6.1.2.1.1.1.0).

 

  • This OID contains certain information (such as IOS version for Cisco devices) which is used to determine how to characterize and manage the device. 
  • If the device does not respond to queries for this OID, the appropriate set of CLI commands to use cannot be determined. 
 

To determine if the sysDescription can be read, query the OID via the appliance CLI using the snmpwalk tool:

 

FortiNAC (CentOS)


snmpwalk -v 3 -u <username> -l <AuthPriv or NoAuthPriv> -a <MD5 or SHA> -A <password> -x <DES or AES> -X <password> <device ip_address> 1.3.6.1.2.1.1.1.0

 
FortiNAC-F (NACOS) v7.2
 
execute enter-shell
snmpwalk -v 3 -u <username> -l <AuthPriv or NoAuthPriv> -a <MD5 or SHA> -A <password> -x <DES or AES> -X <password> <device ip_address> 1.3.6.1.2.1.1.1.0
 
FortiNAC-F (NACOS) v7.4 and greater
 
diagnose network snmp walk <device ip_address> 1.3.6.1.2.1.1.1.0
 
Usage: diagnose network snmp walk <ip> <oid> [--bulk] [--debug] [--c <context>]<ip> IP Address of the device
<oid> OID value to manipulate data through snmp4j commands
--c, --context <context> The context value
--debug Turns on detailed debug
--bulk Does a bulk get instead of a getNext
 
 

Example of a normal response:

 
SNMPv2-MIB::sysDescr.0 = STRING: Cisco IOS Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(2)S3, RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Fri 25-Mar-16 16:59 by mcpre

 
Example of failed response:
 

SNMPv2-MIB::sysDescr.0 = No Such Object available on this agent at this OID

 

When such error is presented, ensure the SNMP v3 permissions on the device allow for access to sysDescription OID (1.3.6.1.2.1.1.1.0).

 

Related articles:

Technical Note: Troubleshooting CLI credential failure

Labels:
1931
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.