NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
This article describes behavior where SSH communication can fail if the device controlling the VIP changes. This is due to a change in the SSH key, making the currently used key invalid.
Scope
FortiNAC with Cisco ASA, Aruba WLC, and Aruba IAP integrations.
Solution
Version 9.4.3 and above: To prevent an SSH communication failure due to this scenario, the MultiKnownHostEntries attribute can be enabled. FortiNAC's known_hosts cache is checked for all potential matches of the VIP and determines which entry to use. This is done on a per-device model basis.
This function is also detailed under Model Configuration in the Administration Guide.
Procedure (CentOS Only):
Log in to the FortiNAC CLI as root.
Add the IP address of a device that could potentially own the VIP to the known host's cache. Enter the following:
ssh root@<IP address>
When prompted to continue connecting, enter yes. The resulting SSH key is written to /root/.ssh/known_hosts file.
Press Ctrl-C to end the SSH session.
Display the keys. Enter the following:
cat /root/.ssh/known_hosts | grep <IP address>
Copy the key.
Modify /bsc/.ssh/known_hosts.
Paste the key on a separate line.
Change the IP address to the VIP.
Save the file.
Confirm the change by entering the following command:
cat /bsc/.ssh/known_hosts | grep <VIP address>
/bsc/.ssh/known_hosts should now have two entries for the VIP with 2 different keys: 1 entry is the VIP which is modeled in FortiNAC as a full device model SSH key. 1 entry is the pingable model.
Repeat steps 2-6 for each device that could potentially own the VIP.
Enable the MultiKnownHostEntries attribute for the VIP. Enter the following:
