Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Gumo
New Contributor II

Fortinac fortinac apparatus joint

I am trying to add a device on Fortinac, the device is being added but the cli settings are not valid.

Fortinac:9.4.4

The error I got was as follows,

Spoiler
Unable to negotiate key exchange for server host key algorithms (client: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa,ssh-dss / server: rsa-sha2-512,rsa-sha2-256)



 
 

 

 

5 REPLIES 5
AEK
SuperUser
SuperUser

As per my experience when adding a new device, FortiNAC accepts all HK algorithms, even the obsolete ones.

  • So from where are you getting this error message? Is it when you try access the device from FortiNAC CLI?
  • Does the device accept ssh access from any client, or only from some clients that have a signed certificate from some CA?
AEK
AEK
Gumo
New Contributor II

I don't have problems with newly added devices, I have problems with devices on Nac. When I look at the event logs of the device on Nac, I see the error message. I can access the devices I receive error messages from via cli.

CharlesYoung

Thank you so much for your help.

Hatibi
Staff
Staff

Hi Gumo,

 

can you try to apply the ssh KexAlgorithms as noted in this article:

https://community.fortinet.com/t5/FortiNAC/Troubleshooting-Tip-Modify-SSH-authentication-algorithms-...

 

If there are still issues you might need to open a TAC case and check with debugging enabled.

Enable in FNAC cli:

 

logs

Device -ip X.X.X.X -setAttr -name DEBUG -value "ForwardingInterface TelnetServer"  <----- Replace X.X.X.X with the actual IP. 

nacdebug -logger org.apache.sshd -level FINEST

tf output.master

 

After enabling this then Click "Validate Credentials" on GUI. When finished enter Ctrl+c to stop the output.

Save the logs in a text file.

Stop debbugging:

 

Device -ip X.X.X.X -delAttr -name DEBUG

nacdebug -logger org.apache.sshd

 

Attach the logs to Forticare Ticket for further inspection.

 

Regards

ndumaj

hello @Gumo 

What is the device that you are trying to add?
Is that a SW or FW?

Enable debug should provide more info.

however try via FNAC cli:
>ssh username@<ip of the device>

BR

- Happy to help, hit like and accept the solution -
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors