Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
Markus_M
Staff & Editor
Staff & Editor

Created on ‎09-28-2018 12:11 AM Edited on ‎07-22-2025 08:46 AM By Moderator

Article Id 190812

Technical Tip: Issues using '#' character in CLI banner

Description

 

This article describes potential issues that may arise from using the '#' character in the CLI browser. In some cases, error messages during manual operations may appear:

  • Unable to switch VLANs.
  • Unable to read VLANs.

In general, there are no observed VLAN changes on the switch (when checking on the switch directly), meaning the environment is not operational with the switch.

Certain read and write tasks require CLI access to the switch.
These tasks include:

  • Reading VLANs.
  • Switching VLANs.
  • L2 and L3 polling.

When changing VLANs or during other operations, FortiNAC will automatically log into the switch with the provided credentials via SSH or the (plain text and insecure) telnet.


In order to recognize whether the:

  • Connection was made correctly.
  • Credentials are requested.
  • The login was successful.


FortiNAC has to evaluate the characters that are sent during the SSH session.
This is the same as reading when manually logged into the switch via CLI.

In some cases, the '#' sign is interpreted as the result of a successful login as a superuser. FortiNAC, however, interprets the banner or disclaimer sent by the switch.

Note:

  • If an 'enable' password was set in the CLI configuration of the switch FortiNAC expects the '>' character instead.
    So if the switch CLI banner/disclaimer contains the character '#' or '>', this can prevent CLI sessions from completing as FortiNAC interprets the character incorrectly.
  • In some cases, the SSIDs tab in FortiNAC inventory will not be visible when adding a wireless controller if an exec or login banner is enabled with the # symbol.


Test this behavior by manually logging in to the switch from the FortiNAC CLI with the credentials set in FortiNAC GUI. For example:

FortiNAC FNVMCA:
root@fortiLABFNAC:/bsc/logs
> ssh svc-user@10.0.0.19


In such cases, the banner or disclaimer from the device can eventually appear and cause problems:


##################################
# This is a secure environment.
# All logins will be logged and monitored.
# Be aware that data obtained is confidential and must not be shared.                                       
# Disconnect immediately if you are not authorized for access.
##################################

CoreSW1#
CoreSW1#

 

Scope

 

FortiNAC.


Solution


Change the '#' and '>' characters in the switch banner to other character, such as a hyphen (-), exclamation mark (!), equal sign (=) or star/wildcard characters (*).

In general, when configuring the device, use only letters, numbers and hyphens (-) in names for items within the device configuration, in security strings and in SNMP credentials to prevent such behavior affecting the operation.

Related articles:

Technical Tip: Troubleshooting CLI credential failure

Labels:
2776
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.