Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
cmaheu
Staff
Staff

Created on ‎02-07-2023 08:45 AM Edited on ‎02-27-2024 05:25 AM By Community Manager

Article Id 244991

Troubleshooting Tip: Modify SSH authentication algorithms in FortiNAC 9.2.7 and above

Description

This article describes how to customize SSH authentication attributes in FortiNAC. Certain network devices may require security algorithms no longer enabled by default due to vulnerabilities. This can cause SSH communication to fail between FortiNAC and network devices still using these algorithms.
Scope FortiNAC v9.2.7, v9.4.2, v7.2.0 and greater.
Solution

Use the CLI commands in the table below to retrieve a list of currently supported algorithms in FortiNAC.

 

CentOS:  Log in as root.

FortiNAC-OS: Log in as admin.

 

 

CentOS Command

FortiNAC-OS Command
KexAlgorithms ssh -Q kex execute enter-shell
ssh -Q kex
Ciphers ssh -Q cipher execute enter-shell
ssh -Q cipher
MACS ssh -Q mac execute enter-shell
ssh -Q mac

 

Configure FortiNAC to use the required algorithms when communicating via SSH to specific devices. These customizations must be configured through the appliance CLI. Contact support for assistance.

 

Run the following command and refer to the parameters below:

CentOS.

 

device -ip <device IP> -setAttr -name <name> -value <value>

 

FortiNAC-OS.

 

execute enter-shell

device -ip <device IP> -setAttr -name <name> -value <value>

 

Name Value
SSH_KEX A quoted string containing names of key exchange algorithms separated by a space. (Order is preserved).
SSH_CIPHERS A quoted string containing names of ciphers separated by a space.
SSH_MACS A quoted string containing names and macs separated by a space.
SSH_KBD_ENABLED A string containing true or false. Enables/Disables keyboard-interactive. Disabled by default.

 

Example 1: Override the default kex list:

 

device -ip 10.12.228.126 -setAttr -name SSH_KEX -value "diffie-hellman-group1-sha1 diffie-hellman-group14-sha1"

 

Example 2: Enable keyboard-interactive:

 

device -ip 10.12.228.126 -setAttr -name SSH_KBD_ENABLED -value true

 

Example 3: Remove or restore default settings (remove attribute):

 

device -ip 10.12.228.126 -delAttr -name SSH_KBD_ENABLED
1282
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.