fortinet.fortimanager.fmgr_user_radius – Configure RADIUS server entries.
Note
This plugin is part of the fortinet.fortimanager collection (version 2.0.1).
To install it use: ansible-galaxy collection install fortinet.fortimanager.
To use it in a playbook, specify: fortinet.fortimanager.fmgr_user_radius.
New in version 2.10: of fortinet.fortimanager
Synopsis
- This module is able to configure a FortiManager device.
- Examples include all parameters and values which need to be adjusted to data sources before usage.
Parameters
| Parameter | Choices/Defaults | Comments | |||
|---|---|---|---|---|---|
| adom
string / required
|
the parameter (adom) in requested url
|
||||
| bypass_validation
boolean
|
|
only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters
|
|||
| rc_failed
list / elements=string
|
the rc codes list with which the conditions to fail will be overriden
|
||||
| rc_succeeded
list / elements=string
|
the rc codes list with which the conditions to succeed will be overriden
|
||||
| state
string / required
|
|
the directive to create, update or delete an object
|
|||
| user_radius
dictionary
|
the top level parameters set
|
||||
| accounting-server
list / elements=string
|
no description
|
||||
| id
integer
|
ID (0 - 4294967295).
|
||||
| port
integer
|
RADIUS accounting port number.
|
||||
| secret
string
|
no description
|
||||
| server
string
|
{<name_str|ip_str>} Server CN domain name or IP.
|
||||
| source-ip
string
|
Source IP address for communications to the RADIUS server.
|
||||
| status
string
|
|
Status.
|
|||
| acct-all-servers
string
|
|
Enable/disable sending of accounting messages to all configured servers (default = disable).
|
|||
| acct-interim-interval
integer
|
Time in seconds between each accounting interim update message.
|
||||
| all-usergroup
string
|
|
Enable/disable automatically including this RADIUS server in all user groups.
|
|||
| auth-type
string
|
|
Authentication methods/protocols permitted for this RADIUS server.
|
|||
| class
string
|
no description
|
||||
| dynamic_mapping
list / elements=string
|
no description
|
||||
| _scope
list / elements=string
|
no description
|
||||
| name
string
|
no description
|
||||
| vdom
string
|
no description
|
||||
| acct-all-servers
string
|
|
no description
|
|||
| acct-interim-interval
integer
|
no description
|
||||
| all-usergroup
string
|
|
no description
|
|||
| auth-type
string
|
|
no description
|
|||
| class
string
|
no description
|
||||
| dp-carrier-endpoint-attribute
string
|
|
no description
|
|||
| dp-carrier-endpoint-block-attribute
string
|
|
no description
|
|||
| dp-context-timeout
integer
|
no description
|
||||
| dp-flush-ip-session
string
|
|
no description
|
|||
| dp-hold-time
integer
|
no description
|
||||
| dp-http-header
string
|
no description
|
||||
| dp-http-header-fallback
string
|
|
no description
|
|||
| dp-http-header-status
string
|
|
no description
|
|||
| dp-http-header-suppress
string
|
|
no description
|
|||
| dp-log-dyn_flags
list / elements=string
|
|
no description
|
|||
| dp-log-period
integer
|
no description
|
||||
| dp-mem-percent
integer
|
no description
|
||||
| dp-profile-attribute
string
|
|
no description
|
|||
| dp-profile-attribute-key
string
|
no description
|
||||
| dp-radius-response
string
|
|
no description
|
|||
| dp-radius-server-port
integer
|
no description
|
||||
| dp-secret
string
|
no description
|
||||
| dp-validate-request-secret
string
|
|
no description
|
|||
| dynamic-profile
string
|
|
no description
|
|||
| endpoint-translation
string
|
|
no description
|
|||
| ep-carrier-endpoint-convert-hex
string
|
|
no description
|
|||
| ep-carrier-endpoint-header
string
|
no description
|
||||
| ep-carrier-endpoint-header-suppress
string
|
|
no description
|
|||
| ep-carrier-endpoint-prefix
string
|
|
no description
|
|||
| ep-carrier-endpoint-prefix-range-max
integer
|
no description
|
||||
| ep-carrier-endpoint-prefix-range-min
integer
|
no description
|
||||
| ep-carrier-endpoint-prefix-string
string
|
no description
|
||||
| ep-carrier-endpoint-source
string
|
|
no description
|
|||
| ep-ip-header
string
|
no description
|
||||
| ep-ip-header-suppress
string
|
|
no description
|
|||
| ep-missing-header-fallback
string
|
|
no description
|
|||
| ep-profile-query-type
string
|
|
no description
|
|||
| h3c-compatibility
string
|
|
no description
|
|||
| nas-ip
string
|
no description
|
||||
| password-encoding
string
|
|
no description
|
|||
| password-renewal
string
|
|
no description
|
|||
| radius-coa
string
|
|
no description
|
|||
| radius-port
integer
|
no description
|
||||
| rsso
string
|
|
no description
|
|||
| rsso-context-timeout
integer
|
no description
|
||||
| rsso-endpoint-attribute
string
|
|
no description
|
|||
| rsso-endpoint-block-attribute
string
|
|
no description
|
|||
| rsso-ep-one-ip-only
string
|
|
no description
|
|||
| rsso-flush-ip-session
string
|
|
no description
|
|||
| rsso-log-flags
list / elements=string
|
|
no description
|
|||
| rsso-log-period
integer
|
no description
|
||||
| rsso-radius-response
string
|
|
no description
|
|||
| rsso-radius-server-port
integer
|
no description
|
||||
| rsso-secret
string
|
no description
|
||||
| rsso-validate-request-secret
string
|
|
no description
|
|||
| secondary-secret
string
|
no description
|
||||
| secondary-server
string
|
no description
|
||||
| secret
string
|
no description
|
||||
| server
string
|
no description
|
||||
| source-ip
string
|
no description
|
||||
| sso-attribute
string
|
|
no description
|
|||
| sso-attribute-key
string
|
no description
|
||||
| sso-attribute-value-override
string
|
|
no description
|
|||
| tertiary-secret
string
|
no description
|
||||
| tertiary-server
string
|
no description
|
||||
| timeout
integer
|
no description
|
||||
| use-group-for-profile
string
|
|
no description
|
|||
| use-management-vdom
string
|
|
no description
|
|||
| username-case-sensitive
string
|
|
no description
|
|||
| h3c-compatibility
string
|
|
Enable/disable compatibility with the H3C, a mechanism that performs security checking for authentication.
|
|||
| name
string
|
RADIUS server entry name.
|
||||
| nas-ip
string
|
IP address used to communicate with the RADIUS server and used as NAS-IP-Address and Called-Station-ID attributes.
|
||||
| password-encoding
string
|
|
Password encoding.
|
|||
| password-renewal
string
|
|
Enable/disable password renewal.
|
|||
| radius-coa
string
|
|
Enable to allow a mechanism to change the attributes of an authentication, authorization, and accounting session after it is a...
|
|||
| radius-port
integer
|
RADIUS service port number.
|
||||
| rsso
string
|
|
Enable/disable RADIUS based single sign on feature.
|
|||
| rsso-context-timeout
integer
|
Time in seconds before the logged out user is removed from the "user context list" of logged on users.
|
||||
| rsso-endpoint-attribute
string
|
|
RADIUS attributes used to extract the user end point identifer from the RADIUS Start record.
|
|||
| rsso-endpoint-block-attribute
string
|
|
RADIUS attributes used to block a user.
|
|||
| rsso-ep-one-ip-only
string
|
|
Enable/disable the replacement of old IP addresses with new ones for the same endpoint on RADIUS accounting Start messages.
|
|||
| rsso-flush-ip-session
string
|
|
Enable/disable flushing user IP sessions on RADIUS accounting Stop messages.
|
|||
| rsso-log-flags
list / elements=string
|
|
no description
|
|||
| rsso-log-period
integer
|
Time interval in seconds that group event log messages will be generated for dynamic profile events.
|
||||
| rsso-radius-response
string
|
|
Enable/disable sending RADIUS response packets after receiving Start and Stop records.
|
|||
| rsso-radius-server-port
integer
|
UDP port to listen on for RADIUS Start and Stop records.
|
||||
| rsso-secret
string
|
no description
|
||||
| rsso-validate-request-secret
string
|
|
Enable/disable validating the RADIUS request shared secret in the Start or End record.
|
|||
| secondary-secret
string
|
no description
|
||||
| secondary-server
string
|
{<name_str|ip_str>} secondary RADIUS CN domain name or IP.
|
||||
| secret
string
|
no description
|
||||
| server
string
|
Primary RADIUS server CN domain name or IP address.
|
||||
| source-ip
string
|
Source IP address for communications to the RADIUS server.
|
||||
| sso-attribute
string
|
|
RADIUS attribute that contains the profile group name to be extracted from the RADIUS Start record.
|
|||
| sso-attribute-key
string
|
Key prefix for SSO group value in the SSO attribute.
|
||||
| sso-attribute-value-override
string
|
|
Enable/disable override old attribute value with new value for the same endpoint.
|
|||
| tertiary-secret
string
|
no description
|
||||
| tertiary-server
string
|
{<name_str|ip_str>} tertiary RADIUS CN domain name or IP.
|
||||
| timeout
integer
|
Time in seconds between re-sending authentication requests.
|
||||
| use-management-vdom
string
|
|
Enable/disable using management VDOM to send requests.
|
|||
| username-case-sensitive
string
|
|
Enable/disable case sensitive user names.
|
|||
| workspace_locking_adom
string
|
the adom to lock for FortiManager running in workspace mode, the value can be global and others including root
|
||||
| workspace_locking_timeout
integer
|
Default:
300
|
the maximum time in seconds to wait for other user to release the workspace lock
|
|||
Notes
Note
- Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work.
- To create or update an object, use state present directive.
- To delete an object, use state absent directive.
- Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded
Examples
- hosts: fortimanager-inventory
collections:
- fortinet.fortimanager
connection: httpapi
vars:
ansible_httpapi_use_ssl: True
ansible_httpapi_validate_certs: False
ansible_httpapi_port: 443
tasks:
- name: Configure RADIUS server entries.
fmgr_user_radius:
bypass_validation: False
workspace_locking_adom: <value in [global, custom adom including root]>
workspace_locking_timeout: 300
rc_succeeded: [0, -2, -3, ...]
rc_failed: [-2, -3, ...]
adom: <your own value>
state: <value in [present, absent]>
user_radius:
accounting-server:
-
id: <value of integer>
port: <value of integer>
secret: <value of string>
server: <value of string>
source-ip: <value of string>
status: <value in [disable, enable]>
acct-all-servers: <value in [disable, enable]>
acct-interim-interval: <value of integer>
all-usergroup: <value in [disable, enable]>
auth-type: <value in [pap, chap, ms_chap, ...]>
class: <value of string>
dynamic_mapping:
-
_scope:
-
name: <value of string>
vdom: <value of string>
acct-all-servers: <value in [disable, enable]>
acct-interim-interval: <value of integer>
all-usergroup: <value in [disable, enable]>
auth-type: <value in [pap, chap, ms_chap, ...]>
class: <value of string>
dp-carrier-endpoint-attribute: <value in [User-Name, User-Password, CHAP-Password, ...]>
dp-carrier-endpoint-block-attribute: <value in [User-Name, User-Password, CHAP-Password, ...]>
dp-context-timeout: <value of integer>
dp-flush-ip-session: <value in [disable, enable]>
dp-hold-time: <value of integer>
dp-http-header: <value of string>
dp-http-header-fallback: <value in [ip-header-address, default-profile]>
dp-http-header-status: <value in [disable, enable]>
dp-http-header-suppress: <value in [disable, enable]>
dp-log-dyn_flags:
- none
- protocol-error
- profile-missing
- context-missing
- accounting-stop-missed
- accounting-event
- radiusd-other
- endpoint-block
dp-log-period: <value of integer>
dp-mem-percent: <value of integer>
dp-profile-attribute: <value in [User-Name, User-Password, CHAP-Password, ...]>
dp-profile-attribute-key: <value of string>
dp-radius-response: <value in [disable, enable]>
dp-radius-server-port: <value of integer>
dp-secret: <value of string>
dp-validate-request-secret: <value in [disable, enable]>
dynamic-profile: <value in [disable, enable]>
endpoint-translation: <value in [disable, enable]>
ep-carrier-endpoint-convert-hex: <value in [disable, enable]>
ep-carrier-endpoint-header: <value of string>
ep-carrier-endpoint-header-suppress: <value in [disable, enable]>
ep-carrier-endpoint-prefix: <value in [disable, enable]>
ep-carrier-endpoint-prefix-range-max: <value of integer>
ep-carrier-endpoint-prefix-range-min: <value of integer>
ep-carrier-endpoint-prefix-string: <value of string>
ep-carrier-endpoint-source: <value in [http-header, cookie]>
ep-ip-header: <value of string>
ep-ip-header-suppress: <value in [disable, enable]>
ep-missing-header-fallback: <value in [session-ip, policy-profile]>
ep-profile-query-type: <value in [session-ip, extract-ip, extract-carrier-endpoint]>
h3c-compatibility: <value in [disable, enable]>
nas-ip: <value of string>
password-encoding: <value in [ISO-8859-1, auto]>
password-renewal: <value in [disable, enable]>
radius-coa: <value in [disable, enable]>
radius-port: <value of integer>
rsso: <value in [disable, enable]>
rsso-context-timeout: <value of integer>
rsso-endpoint-attribute: <value in [User-Name, User-Password, CHAP-Password, ...]>
rsso-endpoint-block-attribute: <value in [User-Name, User-Password, CHAP-Password, ...]>
rsso-ep-one-ip-only: <value in [disable, enable]>
rsso-flush-ip-session: <value in [disable, enable]>
rsso-log-flags:
- none
- protocol-error
- profile-missing
- context-missing
- accounting-stop-missed
- accounting-event
- radiusd-other
- endpoint-block
rsso-log-period: <value of integer>
rsso-radius-response: <value in [disable, enable]>
rsso-radius-server-port: <value of integer>
rsso-secret: <value of string>
rsso-validate-request-secret: <value in [disable, enable]>
secondary-secret: <value of string>
secondary-server: <value of string>
secret: <value of string>
server: <value of string>
source-ip: <value of string>
sso-attribute: <value in [User-Name, User-Password, CHAP-Password, ...]>
sso-attribute-key: <value of string>
sso-attribute-value-override: <value in [disable, enable]>
tertiary-secret: <value of string>
tertiary-server: <value of string>
timeout: <value of integer>
use-group-for-profile: <value in [disable, enable]>
use-management-vdom: <value in [disable, enable]>
username-case-sensitive: <value in [disable, enable]>
h3c-compatibility: <value in [disable, enable]>
name: <value of string>
nas-ip: <value of string>
password-encoding: <value in [ISO-8859-1, auto]>
password-renewal: <value in [disable, enable]>
radius-coa: <value in [disable, enable]>
radius-port: <value of integer>
rsso: <value in [disable, enable]>
rsso-context-timeout: <value of integer>
rsso-endpoint-attribute: <value in [User-Name, User-Password, CHAP-Password, ...]>
rsso-endpoint-block-attribute: <value in [User-Name, User-Password, CHAP-Password, ...]>
rsso-ep-one-ip-only: <value in [disable, enable]>
rsso-flush-ip-session: <value in [disable, enable]>
rsso-log-flags:
- none
- protocol-error
- profile-missing
- context-missing
- accounting-stop-missed
- accounting-event
- radiusd-other
- endpoint-block
rsso-log-period: <value of integer>
rsso-radius-response: <value in [disable, enable]>
rsso-radius-server-port: <value of integer>
rsso-secret: <value of string>
rsso-validate-request-secret: <value in [disable, enable]>
secondary-secret: <value of string>
secondary-server: <value of string>
secret: <value of string>
server: <value of string>
source-ip: <value of string>
sso-attribute: <value in [User-Name, User-Password, CHAP-Password, ...]>
sso-attribute-key: <value of string>
sso-attribute-value-override: <value in [disable, enable]>
tertiary-secret: <value of string>
tertiary-server: <value of string>
timeout: <value of integer>
use-management-vdom: <value in [disable, enable]>
username-case-sensitive: <value in [disable, enable]>
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| request_url
string
|
always |
The full url requested
Sample:
/sys/login/user
|
| response_code
integer
|
always |
The status of api request
|
| response_message
string
|
always |
The descriptive message of the api response
Sample:
OK.
|
Authors
- Link Zheng (@chillancezen)
- Jie Xue (@JieX19)
- Frank Shen (@fshen01)
- Hongbin Lu (@fgtdev-hblu)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.11/collections/fortinet/fortimanager/fmgr_user_radius_module.html