- A default pre-generated public key is already available within FortiNAC and can be displayed using the following command.
execute ssh-authentcation-key list nac
If the default key is not intended for use, a new public key can be generated using the command below.
execute ssh-authentication-keys generate nac ssh-ed25519
-
The SSH public key obtained from FortiAC will appear in a format similar to the example below.
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQxxxxxxxxx/XZGpYAUdJVUlXZDVehWY+DN8 nac@ca1
When the key is implemented on the FortiGate, the 'nac@ca1' identifier at the end must not be included.
Only the key type and key string are required.
The public key can be applied to either a newly created administrator account or an existing one. An example configuration is shown below.
config system admin
edit "fnac2"
set accprofile "super_admin"
set vdom "root"
set ssh-public-key1 "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQ2+nFddsY2xxxxxxxxx/XZGpYAUdJVUlXZDVehWY+DN8"
next
end
-
The FortiGate administrator account to which the public key has been applied must be configured on FortiNAC as the SSH credential for the device.
During this configuration, a password must be entered, and the 'Use Public Key Authentication (if available)' option must be enabled.
The password entered in this field may be a dummy value or the actual password of the FortiGate administrator account. If public key authentication fails and a valid password has been configured on FortiNAC, FortiNAC will attempt to authenticate using the username and password as a fallback method.
Related article:
Technical Tip: How to generate ssh keys on Linux host and use it for public-private key authenticati...
|
