Note
This plugin is part of the fortinet.fortios collection.
To install it use: ansible-galaxy collection install fortinet.fortios.
To use it in a playbook, specify: fortinet.fortios.fortios_wireless_controller_vap.
New in version 2.8: of fortinet.fortios
The below requirements are needed on the host that executes this module.
| Parameter | Choices/Defaults | Comments | ||
|---|---|---|---|---|
| host string | FortiOS or FortiGate IP address. | |||
| https boolean |
| Indicates if the requests towards FortiGate must use HTTPS protocol. | ||
| password string | Default: "" | FortiOS or FortiGate password. | ||
| ssl_verify boolean added in 2.9 of fortinet.fortios |
| Ensures FortiGate certificate must be verified by a proper CA. | ||
| state string added in 2.9 of fortinet.fortios |
| Indicates whether to create or remove the object. This attribute was present already in previous version in a deeper level. It has been moved out to this outer level. | ||
| username string | FortiOS or FortiGate username. | |||
| vdom string | Default: "root" | Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. | ||
| wireless_controller_vap dictionary | Configure Virtual Access Points (VAPs). | |||
| acct_interim_interval integer | WiFi RADIUS accounting interim interval (60 - 86400 sec). | |||
| alias string | Alias. | |||
| auth string |
| Authentication protocol. | ||
| broadcast_ssid string |
| Enable/disable broadcasting the SSID . | ||
| broadcast_suppression string |
| Optional suppression of broadcast messages. For example, you can keep DHCP messages, ARP broadcasts, and so on off of the wireless network. | ||
| captive_portal_ac_name string | Local-bridging captive portal ac-name. | |||
| captive_portal_macauth_radius_secret string | Secret key to access the macauth RADIUS server. | |||
| captive_portal_macauth_radius_server string | Captive portal external RADIUS server domain name or IP address. | |||
| captive_portal_radius_secret string | Secret key to access the RADIUS server. | |||
| captive_portal_radius_server string | Captive portal RADIUS server domain name or IP address. | |||
| captive_portal_session_timeout_interval integer | Session timeout interval (0 - 864000 sec). | |||
| dhcp_lease_time integer | DHCP lease time in seconds for NAT IP address. | |||
| dhcp_option82_circuit_id_insertion string |
| Enable/disable DHCP option 82 circuit-id insert . | ||
| dhcp_option82_insertion string |
| Enable/disable DHCP option 82 insert . | ||
| dhcp_option82_remote_id_insertion string |
| Enable/disable DHCP option 82 remote-id insert . | ||
| dynamic_vlan string |
| Enable/disable dynamic VLAN assignment. | ||
| eap_reauth string |
| Enable/disable EAP re-authentication for WPA-Enterprise security. | ||
| eap_reauth_intv integer | EAP re-authentication interval (1800 - 864000 sec). | |||
| eapol_key_retries string |
| Enable/disable retransmission of EAPOL-Key frames (message 3/4 and group message 1/2) . | ||
| encrypt string |
| Encryption protocol to use (only available when security is set to a WPA type). | ||
| external_fast_roaming string |
| Enable/disable fast roaming or pre-authentication with external APs not managed by the FortiGate . | ||
| external_logout string | URL of external authentication logout server. | |||
| external_web string | URL of external authentication web server. | |||
| fast_bss_transition string |
| Enable/disable 802.11r Fast BSS Transition (FT) . | ||
| fast_roaming string |
| Enable/disable fast-roaming, or pre-authentication, where supported by clients . | ||
| ft_mobility_domain integer | Mobility domain identifier in FT (1 - 65535). | |||
| ft_over_ds string |
| Enable/disable FT over the Distribution System (DS). | ||
| ft_r0_key_lifetime integer | Lifetime of the PMK-R0 key in FT, 1-65535 minutes. | |||
| gtk_rekey string |
| Enable/disable GTK rekey for WPA security. | ||
| gtk_rekey_intv integer | GTK rekey interval interval (1800 - 864000 sec). | |||
| hotspot20_profile string | Hotspot 2.0 profile name. | |||
| intra_vap_privacy string |
| Enable/disable blocking communication between clients on the same SSID (called intra-SSID privacy) . | ||
| ip string | IP address and subnet mask for the local standalone NAT subnet. | |||
| key string | WEP Key. | |||
| keyindex integer | WEP key index (1 - 4). | |||
| ldpc string |
| VAP low-density parity-check (LDPC) coding configuration. | ||
| local_authentication string |
| Enable/disable AP local authentication. | ||
| local_bridging string |
| Enable/disable bridging of wireless and Ethernet interfaces on the FortiAP . | ||
| local_lan string |
| Allow/deny traffic destined for a Class A, B, or C private IP address . | ||
| local_standalone string |
| Enable/disable AP local standalone . | ||
| local_standalone_nat string |
| Enable/disable AP local standalone NAT mode. | ||
| mac_auth_bypass string |
| Enable/disable MAC authentication bypass. | ||
| mac_filter string |
| Enable/disable MAC filtering to block wireless clients by mac address. | ||
| mac_filter_list list / elements=string | Create a list of MAC addresses for MAC address filtering. | |||
| id integer / required | ID. | |||
| mac string | MAC address. | |||
| mac_filter_policy string |
| Deny or allow the client with this MAC address. | ||
| mac_filter_policy_other string |
| Allow or block clients with MAC addresses that are not in the filter list. | ||
| max_clients integer | Maximum number of clients that can connect simultaneously to the VAP . | |||
| max_clients_ap integer | Maximum number of clients that can connect simultaneously to each radio . | |||
| me_disable_thresh integer | Disable multicast enhancement when this many clients are receiving multicast traffic. | |||
| mesh_backhaul string |
| Enable/disable using this VAP as a WiFi mesh backhaul . This entry is only available when security is set to a WPA type or open. | ||
| mpsk string |
| Enable/disable multiple pre-shared keys (PSKs.) | ||
| mpsk_concurrent_clients integer | Number of pre-shared keys (PSKs) to allow if multiple pre-shared keys are enabled. | |||
| mpsk_key list / elements=string | Pre-shared keys that can be used to connect to this virtual access point. | |||
| comment string | Comment. | |||
| concurrent_clients string | Number of clients that can connect using this pre-shared key. | |||
| key_name string | Pre-shared key name. | |||
| passphrase string | WPA Pre-shared key. | |||
| multicast_enhance string |
| Enable/disable converting multicast to unicast to improve performance . | ||
| multicast_rate string |
| Multicast rate (0, 6000, 12000, or 24000 kbps). | ||
| name string / required | Virtual AP name. | |||
| okc string |
| Enable/disable Opportunistic Key Caching (OKC) . | ||
| passphrase string | WPA pre-shard key (PSK) to be used to authenticate WiFi users. | |||
| pmf string |
| Protected Management Frames (PMF) support . | ||
| pmf_assoc_comeback_timeout integer | Protected Management Frames (PMF) comeback maximum timeout (1-20 sec). | |||
| pmf_sa_query_retry_timeout integer | Protected Management Frames (PMF) SA query retry timeout interval (1 - 5 100s of msec). | |||
| portal_message_override_group string | Replacement message group for this VAP (only available when security is set to a captive portal type). | |||
| portal_message_overrides dictionary | Individual message overrides. | |||
| auth_disclaimer_page string | Override auth-disclaimer-page message with message from portal-message-overrides group. | |||
| auth_login_failed_page string | Override auth-login-failed-page message with message from portal-message-overrides group. | |||
| auth_login_page string | Override auth-login-page message with message from portal-message-overrides group. | |||
| auth_reject_page string | Override auth-reject-page message with message from portal-message-overrides group. | |||
| portal_type string |
| Captive portal functionality. Configure how the captive portal authenticates users and whether it includes a disclaimer. | ||
| probe_resp_suppression string |
| Enable/disable probe response suppression (to ignore weak signals) . | ||
| probe_resp_threshold string | Minimum signal level/threshold in dBm required for the AP response to probe requests (-95 to -20). | |||
| ptk_rekey string |
| Enable/disable PTK rekey for WPA-Enterprise security. | ||
| ptk_rekey_intv integer | PTK rekey interval interval (1800 - 864000 sec). | |||
| qos_profile string | Quality of service profile name. | |||
| quarantine string |
| Enable/disable station quarantine . | ||
| radius_mac_auth string |
| Enable/disable RADIUS-based MAC authentication of clients . | ||
| radius_mac_auth_server string | RADIUS-based MAC authentication server. | |||
| radius_server string | RADIUS server to be used to authenticate WiFi users. | |||
| rates_11a string |
| Allowed data rates for 802.11a. | ||
| rates_11ac_ss12 string |
| Allowed data rates for 802.11ac with 1 or 2 spatial streams. | ||
| rates_11ac_ss34 string |
| Allowed data rates for 802.11ac with 3 or 4 spatial streams. | ||
| rates_11bg string |
| Allowed data rates for 802.11b/g. | ||
| rates_11n_ss12 string |
| Allowed data rates for 802.11n with 1 or 2 spatial streams. | ||
| rates_11n_ss34 string |
| Allowed data rates for 802.11n with 3 or 4 spatial streams. | ||
| schedule string | VAP schedule name. | |||
| security string |
| Security mode for the wireless interface . | ||
| security_exempt_list string | Optional security exempt list for captive portal authentication. | |||
| security_obsolete_option string |
| Enable/disable obsolete security options. | ||
| security_redirect_url string | Optional URL for redirecting users after they pass captive portal authentication. | |||
| selected_usergroups list / elements=string | Selective user groups that are permitted to authenticate. | |||
| name string / required | User group name. | |||
| split_tunneling string |
| Enable/disable split tunneling . | ||
| ssid string | IEEE 802.11 service set identifier (SSID) for the wireless interface. Users who wish to use the wireless network must configure their computers to access this SSID name. | |||
| state string |
| Deprecated Starting with Ansible 2.9 we recommend using the top-level 'state' parameter. Indicates whether to create or remove the object. | ||
| tkip_counter_measure string |
| Enable/disable TKIP counter measure. | ||
| usergroup list / elements=string | Firewall user group to be used to authenticate WiFi users. | |||
| name string / required | User group name. | |||
| utm_profile string | UTM profile name. | |||
| vdom string | Name of the VDOM that the Virtual AP has been added to. Source system.vdom.name. | |||
| vlan_auto string |
| Enable/disable automatic management of SSID VLAN interface. | ||
| vlan_pool list / elements=string | VLAN pool. | |||
| id integer / required | ID. | |||
| wtp_group string | WTP group name. | |||
| vlan_pooling string |
| Enable/disable VLAN pooling, to allow grouping of multiple wireless controller VLANs into VLAN pools . When set to wtp-group, VLAN pooling occurs with VLAN assignment by wtp-group. | ||
| vlanid integer | Optional VLAN ID. | |||
| voice_enterprise string |
| Enable/disable 802.11k and 802.11v assisted Voice-Enterprise roaming . | ||
Note
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: Configure Virtual Access Points (VAPs).
fortios_wireless_controller_vap:
vdom: "{{ vdom }}"
state: "present"
wireless_controller_vap:
acct_interim_interval: "3"
alias: "<your_own_value>"
auth: "psk"
broadcast_ssid: "enable"
broadcast_suppression: "dhcp-up"
captive_portal_ac_name: "<your_own_value>"
captive_portal_macauth_radius_secret: "<your_own_value>"
captive_portal_macauth_radius_server: "<your_own_value>"
captive_portal_radius_secret: "<your_own_value>"
captive_portal_radius_server: "<your_own_value>"
captive_portal_session_timeout_interval: "13"
dhcp_lease_time: "14"
dhcp_option82_circuit_id_insertion: "style-1"
dhcp_option82_insertion: "enable"
dhcp_option82_remote_id_insertion: "style-1"
dynamic_vlan: "enable"
eap_reauth: "enable"
eap_reauth_intv: "20"
eapol_key_retries: "disable"
encrypt: "TKIP"
external_fast_roaming: "enable"
external_logout: "<your_own_value>"
external_web: "<your_own_value>"
fast_bss_transition: "disable"
fast_roaming: "enable"
ft_mobility_domain: "28"
ft_over_ds: "disable"
ft_r0_key_lifetime: "30"
gtk_rekey: "enable"
gtk_rekey_intv: "32"
hotspot20_profile: "<your_own_value>"
intra_vap_privacy: "enable"
ip: "<your_own_value>"
key: "<your_own_value>"
keyindex: "37"
ldpc: "disable"
local_authentication: "enable"
local_bridging: "enable"
local_lan: "allow"
local_standalone: "enable"
local_standalone_nat: "enable"
mac_auth_bypass: "enable"
mac_filter: "enable"
mac_filter_list:
-
id: "47"
mac: "<your_own_value>"
mac_filter_policy: "allow"
mac_filter_policy_other: "allow"
max_clients: "51"
max_clients_ap: "52"
me_disable_thresh: "53"
mesh_backhaul: "enable"
mpsk: "enable"
mpsk_concurrent_clients: "56"
mpsk_key:
-
comment: "Comment."
concurrent_clients: "<your_own_value>"
key_name: "<your_own_value>"
passphrase: "<your_own_value>"
multicast_enhance: "enable"
multicast_rate: "0"
name: "default_name_64"
okc: "disable"
passphrase: "<your_own_value>"
pmf: "disable"
pmf_assoc_comeback_timeout: "68"
pmf_sa_query_retry_timeout: "69"
portal_message_override_group: "<your_own_value>"
portal_message_overrides:
auth_disclaimer_page: "<your_own_value>"
auth_login_failed_page: "<your_own_value>"
auth_login_page: "<your_own_value>"
auth_reject_page: "<your_own_value>"
portal_type: "auth"
probe_resp_suppression: "enable"
probe_resp_threshold: "<your_own_value>"
ptk_rekey: "enable"
ptk_rekey_intv: "80"
qos_profile: "<your_own_value>"
quarantine: "enable"
radius_mac_auth: "enable"
radius_mac_auth_server: "<your_own_value>"
radius_server: "<your_own_value>"
rates_11a: "1"
rates_11ac_ss12: "mcs0/1"
rates_11ac_ss34: "mcs0/3"
rates_11bg: "1"
rates_11n_ss12: "mcs0/1"
rates_11n_ss34: "mcs16/3"
schedule: "<your_own_value>"
security: "open"
security_exempt_list: "<your_own_value>"
security_obsolete_option: "enable"
security_redirect_url: "<your_own_value>"
selected_usergroups:
-
name: "default_name_98"
split_tunneling: "enable"
ssid: "<your_own_value>"
tkip_counter_measure: "enable"
usergroup:
-
name: "default_name_103"
utm_profile: "<your_own_value>"
vdom: "<your_own_value> (source system.vdom.name)"
vlan_auto: "enable"
vlan_pool:
-
id: "108"
wtp_group: "<your_own_value>"
vlan_pooling: "wtp-group"
vlanid: "111"
voice_enterprise: "disable"
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| build string | always | Build number of the fortigate image Sample: 1547 |
| http_method string | always | Last method used to provision the content into FortiGate Sample: PUT |
| http_status string | always | Last result given by FortiGate on last operation applied Sample: 200 |
| mkey string | success | Master key (id) used in the last call to FortiGate Sample: id |
| name string | always | Name of the table used to fulfill the request Sample: urlfilter |
| path string | always | Path of the table used to fulfill the request Sample: webfilter |
| revision string | always | Internal revision number Sample: 17.0.2.10658 |
| serial string | always | Serial number of the unit Sample: FGVMEVYYQT3AB5352 |
| status string | always | Indication of the operation's result Sample: success |
| vdom string | always | Virtual domain used Sample: root |
| version string | always | Version of the FortiGate Sample: v5.6.3 |
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.10/collections/fortinet/fortios/fortios_wireless_controller_vap_module.html