Security

hi Airheads,

we have a customer with a Fortinet WLC\Clearpass solution. We are at a point of requiring the use of Clearpass CLI functionality to initiate an SSH commnd to

the Fortinet controller to de-auth a guest client. We have tried sending the RADIUS REJECT packet which the controller accepts and de-auths the client, however

there is cached session information which is not getting cleared out (on the controller) and we require the use of the CLI command (ssh to controller) in order to fire up the necessary command.

in access tracker we are getting the following error when we try the CLI process :-

Failed to exec commands on nad:192.168.100.4 err:SSHException('No existing session',)

we think we are not initiating the CLI command correctly so any pointers would be welcome.

cheers

Pete

Is this a FortiWLC (old Meru product)?  Or FortiGate managed wireless?  Or FortiLAN Cloud?  Why not use CoA instead?  

Original Message:
Sent: Feb 08, 2024 06:48 AM
From: peter.elms
Subject: initiating CLI commands through enforcement policy\profile

hi Airheads,

we have a customer with a Fortinet WLC\Clearpass solution. We are at a point of requiring the use of Clearpass CLI functionality to initiate an SSH commnd to

the Fortinet controller to de-auth a guest client. We have tried sending the RADIUS REJECT packet which the controller accepts and de-auths the client, however

there is cached session information which is not getting cleared out (on the controller) and we require the use of the CLI command (ssh to controller) in order to fire up the necessary command.

in access tracker we are getting the following error when we try the CLI process :-

Failed to exec commands on nad:192.168.100.4 err:SSHException('No existing session',)

we think we are not initiating the CLI command correctly so any pointers would be welcome.

cheers

Pete

yes it is the FortiWLC but the CoA didn't clear the cached info on the controller.

It forced a de-auth which is great but there is cached up info for the client on the controller that isn't getting removed.

Fortinet have shown the command they run to get the client cleared which is why we wanted to go for sending a the command via CLI access.

Let me know if this makes sense.

By the way appreciate you getting back to me.

thanks

Pete

Original Message:
Sent: Feb 08, 2024 08:20 AM
From: ahollifield
Subject: initiating CLI commands through enforcement policy\profile

Is this a FortiWLC (old Meru product)?  Or FortiGate managed wireless?  Or FortiLAN Cloud?  Why not use CoA instead?  

Original Message:
Sent: Feb 08, 2024 06:48 AM
From: peter.elms
Subject: initiating CLI commands through enforcement policy\profile

hi Airheads,

we have a customer with a Fortinet WLC\Clearpass solution. We are at a point of requiring the use of Clearpass CLI functionality to initiate an SSH commnd to

the Fortinet controller to de-auth a guest client. We have tried sending the RADIUS REJECT packet which the controller accepts and de-auths the client, however

there is cached session information which is not getting cleared out (on the controller) and we require the use of the CLI command (ssh to controller) in order to fire up the necessary command.

in access tracker we are getting the following error when we try the CLI process :-

Failed to exec commands on nad:192.168.100.4 err:SSHException('No existing session',)

we think we are not initiating the CLI command correctly so any pointers would be welcome.

cheers

Pete