FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
cmaheu
Staff
Staff
Article Id 196125

Description

 

Starting in version 9.1, devices modeled with CLI management via SSH are added to a known_hosts file.  When a device is removed from Topology, however, the associated entry is not removed from the file.  This causes issues when an IP address is re-used due to a mismatch in SSH keys, including:
  • Credentials fail to validate while attempting to model a device
  • Management functions using CLI do not work properly
 
Validation:


Scope


Version: 9.1

Solution

 

Validation:

 

  1. In the Administration UI, model the device (select yes if prompted to add the device with the incorrect credentials).

  2. From the CLI, enable TelnetServer debug for the device model:

device -ip <device IP address> -setAttr -name DEBUG -value "TelnetServer"
 
  1. Attempt to validate credentials again.

  2. Search output.master for the following entry:

"Mismatched keys presented by <device IP address>"


Workaround: Remove stale SSH key from known_hosts file. Contact Support if assistance is required.

 

Option 1:
 
  1. Log in to the appliance CLI as root.
  2. Modify /bsc/.ssh/known_hosts.
  3. Search for the device's IP address or hostname and remove the entry.

 

Option 2:
 
  1. Log in to the appliance CLI as root.
  2. Use the following command to make a backup of the current known_hosts file, and remove the entry for the IP address.

sed -i.bak '/^<device IP address>/d' /bsc/.ssh/known_hosts

 

Or:

 

sed -i.bak '/^<hostname>/d' /bsc/.ssh/known_hosts

 

Example:

 

sed -i.bak '/^192.168.1.105/d' /bsc/.ssh/known_hosts
sed -i.bak '/^floor2switch/d' /bsc/.ssh/known_hosts

 
After removing the stale entry, select 'Validate Credentials' under the Credentials tab for the device model and confirm it is successful.  
 
Permanent fix: Addressed in versions 9.1.7 and 9.2.5 and greater.