Help
FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
cmaheu
Staff
Staff

Created on ‎10-26-2023 06:04 AM Edited on ‎11-21-2023 09:31 PM By Community Manager

Article Id 281029

Troubleshooting Tip: SSH communication fails after upgrade due to missing legacy ciphers

Description

This article discusses the behavior that can occur with network infrastructure devices using legacy SSH ciphers.

Vulnerable Diffie-Hellman SSH Ciphers were removed from versions 9.2.8, 9.4.4. 7.2.3 and greater. The removal of these ciphers can cause SSH communication to fail between FortiNAC and network devices still using these ciphers.

 

Depending upon the device, the resulting behavior can vary from failing L2 and L3 polling to failing VLAN switching.

The following events would be generated for the affected device:
L2 Poll Failed
L3 Poll Failed
VLAN Switch Failure


If any of the above events are reported after the upgrade, verify CLI connectivity to the device. Select the Credentials tab in the device's Model Configuration. Ensure credentials are correct then select the Validate Credentials button.
Scope FortiNAC/CentOS v9.2.8, v9.4.4, v7.2.3 or greater, FortiNAC-F/FortiNAC-OS v7.2.3 or greater.
Solution

Workaround: 

The legacy ciphers must be re-added after the upgrade via the CLI. Use one of the following command options.

Contact Support if assistance is required.

 

Option 1: Re-add the ciphers for all the device models in the specified device group.

 

CentOS (log in as root):


device -group <Device_Group_Name> -setAttr -name SSH_KEX -value "diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256"


FortiNAC-OS (log in as admin):


execute enter-shell
device -group <Device Group Name> -setAttr -name SSH_KEX -value "diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256"

 

 

Option 2: Re-add the ciphers for a single device model IP address.

 

CentOS (log in as root):


device -ip <device_IP> -setAttr -name SSH_KEX -value "diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256"


FortiNAC-OS (log in as admin):


execute enter-shell
device -ip <device_IP> -setAttr -name SSH_KEX -value "diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256"

 

Solution: 

To be addressed in FortiNAC versions v9.4.5, v7.2.5 and v7.4.
837
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.