fortios_wireless_controller_vap – Configure Virtual Access Points (VAPs) in Fortinet’s FortiOS and FortiGate
New in version 2.8.
Synopsis
- This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify wireless_controller feature and vap category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.5
Requirements
The below requirements are needed on the host that executes this module.
- fortiosapi>=0.9.8
Parameters
| Parameter | Choices/Defaults | Comments | ||
|---|---|---|---|---|
| host
string
|
FortiOS or FortiGate IP address.
|
|||
| https
boolean
|
|
Indicates if the requests towards FortiGate must use HTTPS protocol.
|
||
| password
string
|
Default:
""
|
FortiOS or FortiGate password.
|
||
| ssl_verify
boolean
added in 2.9
|
|
Ensures FortiGate certificate must be verified by a proper CA.
|
||
| state
string
added in 2.9
|
|
Indicates whether to create or remove the object. This attribute was present already in previous version in a deeper level. It has been moved out to this outer level.
|
||
| username
string
|
FortiOS or FortiGate username.
|
|||
| vdom
string
|
Default:
"root"
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
|
||
| wireless_controller_vap
dictionary
|
Default:
null
|
Configure Virtual Access Points (VAPs).
|
||
| acct_interim_interval
integer
|
WiFi RADIUS accounting interim interval (60 - 86400 sec).
|
|||
| alias
string
|
Alias.
|
|||
| auth
string
|
|
Authentication protocol.
|
||
| broadcast_ssid
string
|
|
Enable/disable broadcasting the SSID .
|
||
| broadcast_suppression
string
|
|
Optional suppression of broadcast messages. For example, you can keep DHCP messages, ARP broadcasts, and so on off of the wireless network.
|
||
| captive_portal_ac_name
string
|
Local-bridging captive portal ac-name.
|
|||
| captive_portal_macauth_radius_secret
string
|
Secret key to access the macauth RADIUS server.
|
|||
| captive_portal_macauth_radius_server
string
|
Captive portal external RADIUS server domain name or IP address.
|
|||
| captive_portal_radius_secret
string
|
Secret key to access the RADIUS server.
|
|||
| captive_portal_radius_server
string
|
Captive portal RADIUS server domain name or IP address.
|
|||
| captive_portal_session_timeout_interval
integer
|
Session timeout interval (0 - 864000 sec).
|
|||
| dhcp_lease_time
integer
|
DHCP lease time in seconds for NAT IP address.
|
|||
| dhcp_option82_circuit_id_insertion
string
|
|
Enable/disable DHCP option 82 circuit-id insert .
|
||
| dhcp_option82_insertion
string
|
|
Enable/disable DHCP option 82 insert .
|
||
| dhcp_option82_remote_id_insertion
string
|
|
Enable/disable DHCP option 82 remote-id insert .
|
||
| dynamic_vlan
string
|
|
Enable/disable dynamic VLAN assignment.
|
||
| eap_reauth
string
|
|
Enable/disable EAP re-authentication for WPA-Enterprise security.
|
||
| eap_reauth_intv
integer
|
EAP re-authentication interval (1800 - 864000 sec).
|
|||
| eapol_key_retries
string
|
|
Enable/disable retransmission of EAPOL-Key frames (message 3/4 and group message 1/2) .
|
||
| encrypt
string
|
|
Encryption protocol to use (only available when security is set to a WPA type).
|
||
| external_fast_roaming
string
|
|
Enable/disable fast roaming or pre-authentication with external APs not managed by the FortiGate .
|
||
| external_logout
string
|
URL of external authentication logout server.
|
|||
| external_web
string
|
URL of external authentication web server.
|
|||
| fast_bss_transition
string
|
|
Enable/disable 802.11r Fast BSS Transition (FT) .
|
||
| fast_roaming
string
|
|
Enable/disable fast-roaming, or pre-authentication, where supported by clients .
|
||
| ft_mobility_domain
integer
|
Mobility domain identifier in FT (1 - 65535).
|
|||
| ft_over_ds
string
|
|
Enable/disable FT over the Distribution System (DS).
|
||
| ft_r0_key_lifetime
integer
|
Lifetime of the PMK-R0 key in FT, 1-65535 minutes.
|
|||
| gtk_rekey
string
|
|
Enable/disable GTK rekey for WPA security.
|
||
| gtk_rekey_intv
integer
|
GTK rekey interval (1800 - 864000 sec).
|
|||
| hotspot20_profile
string
|
Hotspot 2.0 profile name.
|
|||
| intra_vap_privacy
string
|
|
Enable/disable blocking communication between clients on the same SSID (called intra-SSID privacy) .
|
||
| ip
string
|
IP address and subnet mask for the local standalone NAT subnet.
|
|||
| key
string
|
WEP Key.
|
|||
| keyindex
integer
|
WEP key index (1 - 4).
|
|||
| ldpc
string
|
|
VAP low-density parity-check (LDPC) coding configuration.
|
||
| local_authentication
string
|
|
Enable/disable AP local authentication.
|
||
| local_bridging
string
|
|
Enable/disable bridging of wireless and Ethernet interfaces on the FortiAP .
|
||
| local_lan
string
|
|
Allow/deny traffic destined for a Class A, B, or C private IP address .
|
||
| local_standalone
string
|
|
Enable/disable AP local standalone .
|
||
| local_standalone_nat
string
|
|
Enable/disable AP local standalone NAT mode.
|
||
| mac_auth_bypass
string
|
|
Enable/disable MAC authentication bypass.
|
||
| mac_filter
string
|
|
Enable/disable MAC filtering to block wireless clients by mac address.
|
||
| mac_filter_list
list
|
Create a list of MAC addresses for MAC address filtering.
|
|||
| id
integer / required
|
ID.
|
|||
| mac
string
|
MAC address.
|
|||
| mac_filter_policy
string
|
|
Deny or allow the client with this MAC address.
|
||
| mac_filter_policy_other
string
|
|
Allow or block clients with MAC addresses that are not in the filter list.
|
||
| max_clients
integer
|
Maximum number of clients that can connect simultaneously to the VAP .
|
|||
| max_clients_ap
integer
|
Maximum number of clients that can connect simultaneously to each radio .
|
|||
| me_disable_thresh
integer
|
Disable multicast enhancement when this many clients are receiving multicast traffic.
|
|||
| mesh_backhaul
string
|
|
Enable/disable using this VAP as a WiFi mesh backhaul . This entry is only available when security is set to a WPA type or open.
|
||
| mpsk
string
|
|
Enable/disable multiple pre-shared keys (PSKs.)
|
||
| mpsk_concurrent_clients
integer
|
Number of pre-shared keys (PSKs) to allow if multiple pre-shared keys are enabled.
|
|||
| mpsk_key
list
|
Pre-shared keys that can be used to connect to this virtual access point.
|
|||
| comment
string
|
Comment.
|
|||
| concurrent_clients
string
|
Number of clients that can connect using this pre-shared key.
|
|||
| key_name
string
|
Pre-shared key name.
|
|||
| passphrase
string
|
WPA Pre-shared key.
|
|||
| multicast_enhance
string
|
|
Enable/disable converting multicast to unicast to improve performance .
|
||
| multicast_rate
string
|
|
Multicast rate (0, 6000, 12000, or 24000 kbps).
|
||
| name
string / required
|
Virtual AP name.
|
|||
| okc
string
|
|
Enable/disable Opportunistic Key Caching (OKC) .
|
||
| passphrase
string
|
WPA pre-shard key (PSK) to be used to authenticate WiFi users.
|
|||
| pmf
string
|
|
Protected Management Frames (PMF) support .
|
||
| pmf_assoc_comeback_timeout
integer
|
Protected Management Frames (PMF) comeback maximum timeout (1-20 sec).
|
|||
| pmf_sa_query_retry_timeout
integer
|
Protected Management Frames (PMF) SA query retry timeout interval (1 - 5 100s of msec).
|
|||
| portal_message_override_group
string
|
Replacement message group for this VAP (only available when security is set to a captive portal type).
|
|||
| portal_message_overrides
dictionary
|
Individual message overrides.
|
|||
| auth_disclaimer_page
string
|
Override auth-disclaimer-page message with message from portal-message-overrides group.
|
|||
| auth_login_failed_page
string
|
Override auth-login-failed-page message with message from portal-message-overrides group.
|
|||
| auth_login_page
string
|
Override auth-login-page message with message from portal-message-overrides group.
|
|||
| auth_reject_page
string
|
Override auth-reject-page message with message from portal-message-overrides group.
|
|||
| portal_type
string
|
|
Captive portal functionality. Configure how the captive portal authenticates users and whether it includes a disclaimer.
|
||
| probe_resp_suppression
string
|
|
Enable/disable probe response suppression (to ignore weak signals) .
|
||
| probe_resp_threshold
string
|
Minimum signal level/threshold in dBm required for the AP response to probe requests (-95 to -20).
|
|||
| ptk_rekey
string
|
|
Enable/disable PTK rekey for WPA-Enterprise security.
|
||
| ptk_rekey_intv
integer
|
PTK rekey interval (1800 - 864000 sec).
|
|||
| qos_profile
string
|
Quality of service profile name.
|
|||
| quarantine
string
|
|
Enable/disable station quarantine .
|
||
| radio_2g_threshold
string
|
Minimum signal level/threshold in dBm required for the AP response to receive a packet in 2.4G band (-95 to -20).
|
|||
| radio_5g_threshold
string
|
Minimum signal level/threshold in dBm required for the AP response to receive a packet in 5G band(-95 to -20).
|
|||
| radio_sensitivity
string
|
|
Enable/disable software radio sensitivity (to ignore weak signals) .
|
||
| radius_mac_auth
string
|
|
Enable/disable RADIUS-based MAC authentication of clients .
|
||
| radius_mac_auth_server
string
|
RADIUS-based MAC authentication server.
|
|||
| radius_mac_auth_usergroups
list
|
Selective user groups that are permitted for RADIUS mac authentication.
|
|||
| name
string / required
|
User group name.
|
|||
| radius_server
string
|
RADIUS server to be used to authenticate WiFi users.
|
|||
| rates_11a
string
|
|
Allowed data rates for 802.11a.
|
||
| rates_11ac_ss12
string
|
|
Allowed data rates for 802.11ac with 1 or 2 spatial streams.
|
||
| rates_11ac_ss34
string
|
|
Allowed data rates for 802.11ac with 3 or 4 spatial streams.
|
||
| rates_11bg
string
|
|
Allowed data rates for 802.11b/g.
|
||
| rates_11n_ss12
string
|
|
Allowed data rates for 802.11n with 1 or 2 spatial streams.
|
||
| rates_11n_ss34
string
|
|
Allowed data rates for 802.11n with 3 or 4 spatial streams.
|
||
| schedule
string
|
VAP schedule name.
|
|||
| security
string
|
|
Security mode for the wireless interface .
|
||
| security_exempt_list
string
|
Optional security exempt list for captive portal authentication.
|
|||
| security_obsolete_option
string
|
|
Enable/disable obsolete security options.
|
||
| security_redirect_url
string
|
Optional URL for redirecting users after they pass captive portal authentication.
|
|||
| selected_usergroups
list
|
Selective user groups that are permitted to authenticate.
|
|||
| name
string / required
|
User group name.
|
|||
| split_tunneling
string
|
|
Enable/disable split tunneling .
|
||
| ssid
string
|
IEEE 802.11 service set identifier (SSID) for the wireless interface. Users who wish to use the wireless network must configure their computers to access this SSID name.
|
|||
| state
string
|
|
Deprecated
Starting with Ansible 2.9 we recommend using the top-level 'state' parameter.
Indicates whether to create or remove the object.
|
||
| tkip_counter_measure
string
|
|
Enable/disable TKIP counter measure.
|
||
| usergroup
list
|
Firewall user group to be used to authenticate WiFi users.
|
|||
| name
string / required
|
User group name.
|
|||
| utm_profile
string
|
UTM profile name.
|
|||
| vdom
string
|
Name of the VDOM that the Virtual AP has been added to. Source system.vdom.name.
|
|||
| vlan_auto
string
|
|
Enable/disable automatic management of SSID VLAN interface.
|
||
| vlan_pool
list
|
VLAN pool.
|
|||
| id
integer / required
|
ID.
|
|||
| wtp_group
string
|
WTP group name.
|
|||
| vlan_pooling
string
|
|
Enable/disable VLAN pooling, to allow grouping of multiple wireless controller VLANs into VLAN pools . When set to wtp-group, VLAN pooling occurs with VLAN assignment by wtp-group.
|
||
| vlanid
integer
|
Optional VLAN ID.
|
|||
| voice_enterprise
string
|
|
Enable/disable 802.11k and 802.11v assisted Voice-Enterprise roaming .
|
||
Notes
Note
- Requires fortiosapi library developed by Fortinet
- Run as a local_action in your playbook
Examples
- hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: ""
vdom: "root"
ssl_verify: "False"
tasks:
- name: Configure Virtual Access Points (VAPs).
fortios_wireless_controller_vap:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
https: "False"
state: "present"
wireless_controller_vap:
acct_interim_interval: "3"
alias: "<your_own_value>"
auth: "psk"
broadcast_ssid: "enable"
broadcast_suppression: "dhcp-up"
captive_portal_ac_name: "<your_own_value>"
captive_portal_macauth_radius_secret: "<your_own_value>"
captive_portal_macauth_radius_server: "<your_own_value>"
captive_portal_radius_secret: "<your_own_value>"
captive_portal_radius_server: "<your_own_value>"
captive_portal_session_timeout_interval: "13"
dhcp_lease_time: "14"
dhcp_option82_circuit_id_insertion: "style-1"
dhcp_option82_insertion: "enable"
dhcp_option82_remote_id_insertion: "style-1"
dynamic_vlan: "enable"
eap_reauth: "enable"
eap_reauth_intv: "20"
eapol_key_retries: "disable"
encrypt: "TKIP"
external_fast_roaming: "enable"
external_logout: "<your_own_value>"
external_web: "<your_own_value>"
fast_bss_transition: "disable"
fast_roaming: "enable"
ft_mobility_domain: "28"
ft_over_ds: "disable"
ft_r0_key_lifetime: "30"
gtk_rekey: "enable"
gtk_rekey_intv: "32"
hotspot20_profile: "<your_own_value>"
intra_vap_privacy: "enable"
ip: "<your_own_value>"
key: "<your_own_value>"
keyindex: "37"
ldpc: "disable"
local_authentication: "enable"
local_bridging: "enable"
local_lan: "allow"
local_standalone: "enable"
local_standalone_nat: "enable"
mac_auth_bypass: "enable"
mac_filter: "enable"
mac_filter_list:
-
id: "47"
mac: "<your_own_value>"
mac_filter_policy: "allow"
mac_filter_policy_other: "allow"
max_clients: "51"
max_clients_ap: "52"
me_disable_thresh: "53"
mesh_backhaul: "enable"
mpsk: "enable"
mpsk_concurrent_clients: "56"
mpsk_key:
-
comment: "Comment."
concurrent_clients: "<your_own_value>"
key_name: "<your_own_value>"
passphrase: "<your_own_value>"
multicast_enhance: "enable"
multicast_rate: "0"
name: "default_name_64"
okc: "disable"
passphrase: "<your_own_value>"
pmf: "disable"
pmf_assoc_comeback_timeout: "68"
pmf_sa_query_retry_timeout: "69"
portal_message_override_group: "<your_own_value>"
portal_message_overrides:
auth_disclaimer_page: "<your_own_value>"
auth_login_failed_page: "<your_own_value>"
auth_login_page: "<your_own_value>"
auth_reject_page: "<your_own_value>"
portal_type: "auth"
probe_resp_suppression: "enable"
probe_resp_threshold: "<your_own_value>"
ptk_rekey: "enable"
ptk_rekey_intv: "80"
qos_profile: "<your_own_value>"
quarantine: "enable"
radio_2g_threshold: "<your_own_value>"
radio_5g_threshold: "<your_own_value>"
radio_sensitivity: "enable"
radius_mac_auth: "enable"
radius_mac_auth_server: "<your_own_value>"
radius_mac_auth_usergroups:
-
name: "default_name_89"
radius_server: "<your_own_value>"
rates_11a: "1"
rates_11ac_ss12: "mcs0/1"
rates_11ac_ss34: "mcs0/3"
rates_11bg: "1"
rates_11n_ss12: "mcs0/1"
rates_11n_ss34: "mcs16/3"
schedule: "<your_own_value>"
security: "open"
security_exempt_list: "<your_own_value>"
security_obsolete_option: "enable"
security_redirect_url: "<your_own_value>"
selected_usergroups:
-
name: "default_name_103"
split_tunneling: "enable"
ssid: "<your_own_value>"
tkip_counter_measure: "enable"
usergroup:
-
name: "default_name_108"
utm_profile: "<your_own_value>"
vdom: "<your_own_value> (source system.vdom.name)"
vlan_auto: "enable"
vlan_pool:
-
id: "113"
wtp_group: "<your_own_value>"
vlan_pooling: "wtp-group"
vlanid: "116"
voice_enterprise: "disable"
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| build
string
|
always |
Build number of the fortigate image
Sample:
1547
|
| http_method
string
|
always |
Last method used to provision the content into FortiGate
Sample:
PUT
|
| http_status
string
|
always |
Last result given by FortiGate on last operation applied
Sample:
200
|
| mkey
string
|
success |
Master key (id) used in the last call to FortiGate
Sample:
id
|
| name
string
|
always |
Name of the table used to fulfill the request
Sample:
urlfilter
|
| path
string
|
always |
Path of the table used to fulfill the request
Sample:
webfilter
|
| revision
string
|
always |
Internal revision number
Sample:
17.0.2.10658
|
| serial
string
|
always |
Serial number of the unit
Sample:
FGVMEVYYQT3AB5352
|
| status
string
|
always |
Indication of the operation's result
Sample:
success
|
| vdom
string
|
always |
Virtual domain used
Sample:
root
|
| version
string
|
always |
Version of the FortiGate
Sample:
v5.6.3
|
Status
- This module is not guaranteed to have a backwards compatible interface. [preview]
- This module is maintained by the Ansible Community. [community]
Authors
- Miguel Angel Munoz (@mamunozgonzalez)
- Nicolas Thomas (@thomnico)
Hint
If you notice any issues in this documentation, you can edit this document to improve it.
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.9/modules/fortios_wireless_controller_vap_module.html