- A default pre-generated public key is already available within FortiNAC and can be displayed using the following command:
execute ssh-authentcation-key list nac
If the default key is not intended for use, a new public key can be generated using the command below:
execute ssh-authentication-keys generate nac ssh-ed25519
-
The SSH public key obtained from FortiAC will appear in a format similar to the example below:
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQxxxxxxxxx/XZGpYAUdJVUlXZDVehWY+DN8 nac@ca1
When the key is implemented on the FortiGate, the 'nac@ca1' identifier at the end must not be included.
Only the key type and key string are required. The public key can be applied to either a newly created administrator account or an existing one. An example configuration is shown below:
config system admin
edit "fnac2"
set accprofile "super_admin"
set vdom "root"
set ssh-public-key1 "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQxxxxxxxxx/XZGpYAUdJVUlXZDVehWY+DN8"
set password <password>
next
end
Note: The password has to be specified for the created admin account. Otherwise, the created admin account could be used to login via HTTPS to the Admin GUI of FortiGate without a password.
-
The FortiGate administrator account to which the public key has been applied must be configured on FortiNAC as the SSH credential for the device. During this configuration, a password must be entered, and the 'Use Public Key Authentication (if available)' option must be enabled.
The password entered in this field may be a dummy value or the actual password of the FortiGate administrator account. If public key authentication fails and a valid password has been configured on FortiNAC, FortiNAC will attempt to authenticate using the username and password as a fallback method.
Related article:
Technical Tip: How to generate ssh keys on Linux host and use it for public-private key authenticati...
FortiGate / FortiOS 7.6.5 Administration Guide - Public key SSH access
|
