NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
Article Id 271544
Description This article describes behavior where SSH communication can fail if the device controlling the VIP changes. This is due to a change in the SSH key, making the currently used key invalid.
Scope FortiNAC with Cisco ASA, Aruba WLC, and Aruba IAP integrations.

Version 9.4.3 and above: To prevent an SSH communication failure due to this scenario, the MultiKnownHostEntries attribute can be enabled. FortiNAC's known_hosts cache is checked for all potential matches of the VIP and determines which entry to use. This is done on a per-device model basis.


This function is also detailed under Model Configuration in the Administration Guide.


FortiNAC-OS: To be addressed in version F 7.6.0.   


Procedure (CentOS Only):


  1. Log in to the FortiNAC CLI as root.

  2. Add the IP address of a device that could potentially own the VIP to the known host's cache. Enter the following:

    ssh root@<IP address>

    When prompted to continue connecting, enter yes.
    The resulting SSH key is written to /root/.ssh/known_hosts file.

  3. Press Ctrl-C to end the SSH session.

  4. Display the keys. Enter the following:

    cat /root/.ssh/known_hosts | grep <IP address>

  5. Copy the key.

  6. Modify /bsc/.ssh/known_hosts.

    1. Paste the key on a separate line.
    2. Change the IP address to the VIP.
    3. Save the file.

  1. Confirm the change by entering the following command:

    cat /bsc/.ssh/known_hosts | grep <VIP address>

    /bsc/.ssh/known_hosts should now have two entries for the VIP with 2 different keys:
    1 entry is the VIP which is modeled in FortiNAC as a full device model SSH key.
    1 entry is the pingable model.

  2. Repeat steps 2-6 for each device that could potentially own the VIP.

  3. Enable the MultiKnownHostEntries attribute for the VIP. Enter the following:

    device -ip <VIP address> -setAttr -name MultiKnownHostEntries -value true

    For example:

    device -ip -setAttr -name MultiKnownHostEntries -value true