Workaround for earlier versions:

1. Disable Key Authentication in FortiNAC (globally or per device).
2. Delete SSH public keys used by the FortiNAC SSH Client.

Step 1: Disable Key Authentication in FortiNAC
Option 1: Disable FortiNAC's ability to use public key authentication at a global level

Edit the: /bsc/campusMgr/master_loader/.masterPropertyFile.

Add the following lines to the configuration in the uncommented out section of the file:

FILE_NAME=./properties_plugin/telnetServer.properties
{
com.bsc.plugin.telnet.TelnetServer.ssh.publicKeyAuthEnabled=false
}

 

Option 2: Disable the setting per device (GUI Method - vF 7.6.2 and above):

1. Navigate to Network > Inventory.
2. In the Credentials tab, ensure Use Public Key Authentication checkbox is not selected

Option 3: Disable the setting per device (CLI Method - All other versions):

Type:

device -ip <IP> -setAttr -name SSH_PUBLICKEY_AUTH_ENABLED -value "false" <----- Where <IP> is the actual IP of the modeled device to disable the setting.

Example:

device -ip 192.168.10.10 -setAttr -name SSH_PUBLICKEY_AUTH_ENABLED -value "false"

Step 2: Delete SSH public keys Used by the FortiNAC SSH Client

(This step is not required if Public Key Authentication was disabled via GUI in step 1.)

Once key authentication is disabled, remove all the SSH public keys used by the FortiNAC SSH client "nac".

List existing SSH keys for the nac user (owner of the FortiNAC process). Type:

execute ssh-authentication-keys list nac

Example output:

id_ed25519: ssh-ed25519 AAAAC3...
id_rsa: ssh-rsa AAAAB3...

Note:

The name of the SSH key is the text before the ':' and is used in the remove command.

Remove all the SSH keys by name:

execute ssh-authentication-keys remove nac <name>

Example:

execute ssh-authentication-keys remove nac id_rsa

Note:

SSH public keys are automatically re-added upon FortiNAC services restart. Consequently, the keys must be removed after each restart. The behavior is due to an issue with the underlying SSH client and is fixed in vF 7.6.3. GA.