Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
Markus_M
Staff
Staff

Created on ‎09-28-2018 12:11 AM

Article Id 190812

Technical Tip: Issues using '#' character in CLI banner

Description
In some cases error messages upon manual operations can appear:

- Unable to switch VLANs.
- Unable to read VLANs

In general, there are no observed VLAN changes on the switch (when checking on the switch directly), thus the environment is not operational with the switch.

Certain read and write tasks require CLI access to the switch.
These tasks include:

- Reading VLANs.
- Switching VLANs
- L2 and L3 polling

When changing VLANs or during other operations, FortiNAC will automatically log into the switch with the provided credentials via SSH or the insecure telnet.

In order to recognize whether the:

- Connection was made correctly
- Credentials are requested.
- The login was successful.

FortiNAC has to evaluate the characters that are sent during the SSH session.
This is the same as read when manually logged into the switch via CLI.

In some cases, the '#' sign is interpreted as the result of a successful login as a super user.
FortiNAC however interprets the banner or disclaimer sent by the switch.

Note:
If an 'enable 'password' was set in the CLI configuration of the switch FortiNAC expects the '>' character instead.
So if the switch CLI banner/disclaimer contains the character '#' or '>', this can prevent CLI sessions from completing as FortiNAC interprets the character incorrectly.

Test this behavior by manually login into the switch from the FortiNAC CLI with the credentials set in FortiNAC GUI, for example:
FortiNAC FNVMCA:
root@fortiLABFNAC:/bsc/logs
> ssh svc-user@10.0.0.19
In such case, the banner or disclaimer from the device can eventually appear and cause problems:
##################################
# This is a secure environment.
# All logins will be logged and monitored.
# Be aware that data obtained is confidential and must not be shared.                                       
# Disconnect immediately if you are not authorized for access.
##################################
CoreSW1#
CoreSW1#

Solution
Change the '#' and '>' characters in the switch banner to other character, such as a hyphen (-), exclamation mark (!) or star/wildcard characters (*).

In general, when configuring the device , use only letters, numbers and hyphens (-) in names for items within the device configuration, in security strings and in SNMP credentials to prevent such behaviour affecting the operation.


Related Articles

Technical Note: Troubleshooting CLI credential failure

Labels:
1638
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.