New in version 2.8.
The below requirements are needed on the host that executes this module.
Parameter | Choices/Defaults | Comments | ||
---|---|---|---|---|
host
-
/ required
|
FortiOS or FortiGate ip address.
|
|||
https
boolean
|
|
Indicates if the requests towards FortiGate must use HTTPS protocol
|
||
password
-
|
Default: ""
|
FortiOS or FortiGate password.
|
||
username
-
/ required
|
FortiOS or FortiGate username.
|
|||
vdom
-
|
Default: "root"
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
|
||
wireless_controller_vap
-
|
Default: null
|
Configure Virtual Access Points (VAPs).
|
||
acct-interim-interval
-
|
WiFi RADIUS accounting interim interval (60 - 86400 sec, default = 0).
|
|||
alias
-
|
Alias.
|
|||
auth
-
|
|
Authentication protocol.
|
||
broadcast-ssid
-
|
|
Enable/disable broadcasting the SSID (default = enable).
|
||
broadcast-suppression
-
|
|
Optional suppression of broadcast messages. For example, you can keep DHCP messages, ARP broadcasts, and so on off of the wireless network.
|
||
captive-portal-ac-name
-
|
Local-bridging captive portal ac-name.
|
|||
captive-portal-macauth-radius-secret
-
|
Secret key to access the macauth RADIUS server.
|
|||
captive-portal-macauth-radius-server
-
|
Captive portal external RADIUS server domain name or IP address.
|
|||
captive-portal-radius-secret
-
|
Secret key to access the RADIUS server.
|
|||
captive-portal-radius-server
-
|
Captive portal RADIUS server domain name or IP address.
|
|||
captive-portal-session-timeout-interval
-
|
Session timeout interval (0 - 864000 sec, default = 0).
|
|||
dhcp-lease-time
-
|
DHCP lease time in seconds for NAT IP address.
|
|||
dhcp-option82-circuit-id-insertion
-
|
|
Enable/disable DHCP option 82 circuit-id insert (default = disable).
|
||
dhcp-option82-insertion
-
|
|
Enable/disable DHCP option 82 insert (default = disable).
|
||
dhcp-option82-remote-id-insertion
-
|
|
Enable/disable DHCP option 82 remote-id insert (default = disable).
|
||
dynamic-vlan
-
|
|
Enable/disable dynamic VLAN assignment.
|
||
eap-reauth
-
|
|
Enable/disable EAP re-authentication for WPA-Enterprise security.
|
||
eap-reauth-intv
-
|
EAP re-authentication interval (1800 - 864000 sec, default = 86400).
|
|||
eapol-key-retries
-
|
|
Enable/disable retransmission of EAPOL-Key frames (message 3/4 and group message 1/2) (default = enable).
|
||
encrypt
-
|
|
Encryption protocol to use (only available when security is set to a WPA type).
|
||
external-fast-roaming
-
|
|
Enable/disable fast roaming or pre-authentication with external APs not managed by the FortiGate (default = disable).
|
||
external-logout
-
|
URL of external authentication logout server.
|
|||
external-web
-
|
URL of external authentication web server.
|
|||
fast-bss-transition
-
|
|
Enable/disable 802.11r Fast BSS Transition (FT) (default = disable).
|
||
fast-roaming
-
|
|
Enable/disable fast-roaming, or pre-authentication, where supported by clients (default = disable).
|
||
ft-mobility-domain
-
|
Mobility domain identifier in FT (1 - 65535, default = 1000).
|
|||
ft-over-ds
-
|
|
Enable/disable FT over the Distribution System (DS).
|
||
ft-r0-key-lifetime
-
|
Lifetime of the PMK-R0 key in FT, 1-65535 minutes.
|
|||
gtk-rekey
-
|
|
Enable/disable GTK rekey for WPA security.
|
||
gtk-rekey-intv
-
|
GTK rekey interval (1800 - 864000 sec, default = 86400).
|
|||
hotspot20-profile
-
|
Hotspot 2.0 profile name.
|
|||
intra-vap-privacy
-
|
|
Enable/disable blocking communication between clients on the same SSID (called intra-SSID privacy) (default = disable).
|
||
ip
-
|
IP address and subnet mask for the local standalone NAT subnet.
|
|||
key
-
|
WEP Key.
|
|||
keyindex
-
|
WEP key index (1 - 4).
|
|||
ldpc
-
|
|
VAP low-density parity-check (LDPC) coding configuration.
|
||
local-authentication
-
|
|
Enable/disable AP local authentication.
|
||
local-bridging
-
|
|
Enable/disable bridging of wireless and Ethernet interfaces on the FortiAP (default = disable).
|
||
local-lan
-
|
|
Allow/deny traffic destined for a Class A, B, or C private IP address (default = allow).
|
||
local-standalone
-
|
|
Enable/disable AP local standalone (default = disable).
|
||
local-standalone-nat
-
|
|
Enable/disable AP local standalone NAT mode.
|
||
mac-auth-bypass
-
|
|
Enable/disable MAC authentication bypass.
|
||
mac-filter
-
|
|
Enable/disable MAC filtering to block wireless clients by mac address.
|
||
mac-filter-list
-
|
Create a list of MAC addresses for MAC address filtering.
|
|||
id
-
/ required
|
ID.
|
|||
mac
-
|
MAC address.
|
|||
mac-filter-policy
-
|
|
Deny or allow the client with this MAC address.
|
||
mac-filter-policy-other
-
|
|
Allow or block clients with MAC addresses that are not in the filter list.
|
||
max-clients
-
|
Maximum number of clients that can connect simultaneously to the VAP (default = 0, meaning no limitation).
|
|||
max-clients-ap
-
|
Maximum number of clients that can connect simultaneously to each radio (default = 0, meaning no limitation).
|
|||
me-disable-thresh
-
|
Disable multicast enhancement when this many clients are receiving multicast traffic.
|
|||
mesh-backhaul
-
|
|
Enable/disable using this VAP as a WiFi mesh backhaul (default = disable). This entry is only available when security is set to a WPA type or open.
|
||
mpsk
-
|
|
Enable/disable multiple pre-shared keys (PSKs.)
|
||
mpsk-concurrent-clients
-
|
Number of pre-shared keys (PSKs) to allow if multiple pre-shared keys are enabled.
|
|||
mpsk-key
-
|
Pre-shared keys that can be used to connect to this virtual access point.
|
|||
comment
-
|
Comment.
|
|||
concurrent-clients
-
|
Number of clients that can connect using this pre-shared key.
|
|||
key-name
-
/ required
|
Pre-shared key name.
|
|||
passphrase
-
|
WPA Pre-shared key.
|
|||
multicast-enhance
-
|
|
Enable/disable converting multicast to unicast to improve performance (default = disable).
|
||
multicast-rate
-
|
|
Multicast rate (0, 6000, 12000, or 24000 kbps, default = 0).
|
||
name
-
/ required
|
Virtual AP name.
|
|||
okc
-
|
|
Enable/disable Opportunistic Key Caching (OKC) (default = enable).
|
||
passphrase
-
|
WPA pre-shard key (PSK) to be used to authenticate WiFi users.
|
|||
pmf
-
|
|
Protected Management Frames (PMF) support (default = disable).
|
||
pmf-assoc-comeback-timeout
-
|
Protected Management Frames (PMF) comeback maximum timeout (1-20 sec).
|
|||
pmf-sa-query-retry-timeout
-
|
Protected Management Frames (PMF) SA query retry timeout interval (1 - 5 100s of msec).
|
|||
portal-message-override-group
-
|
Replacement message group for this VAP (only available when security is set to a captive portal type).
|
|||
portal-message-overrides
-
|
Individual message overrides.
|
|||
auth-disclaimer-page
-
|
Override auth-disclaimer-page message with message from portal-message-overrides group.
|
|||
auth-login-failed-page
-
|
Override auth-login-failed-page message with message from portal-message-overrides group.
|
|||
auth-login-page
-
|
Override auth-login-page message with message from portal-message-overrides group.
|
|||
auth-reject-page
-
|
Override auth-reject-page message with message from portal-message-overrides group.
|
|||
portal-type
-
|
|
Captive portal functionality. Configure how the captive portal authenticates users and whether it includes a disclaimer.
|
||
probe-resp-suppression
-
|
|
Enable/disable probe response suppression (to ignore weak signals) (default = disable).
|
||
probe-resp-threshold
-
|
Minimum signal level/threshold in dBm required for the AP response to probe requests (-95 to -20, default = -80).
|
|||
ptk-rekey
-
|
|
Enable/disable PTK rekey for WPA-Enterprise security.
|
||
ptk-rekey-intv
-
|
PTK rekey interval (1800 - 864000 sec, default = 86400).
|
|||
qos-profile
-
|
Quality of service profile name.
|
|||
quarantine
-
|
|
Enable/disable station quarantine (default = enable).
|
||
radio-2g-threshold
-
|
Minimum signal level/threshold in dBm required for the AP response to receive a packet in 2.4G band (-95 to -20, default = -79).
|
|||
radio-5g-threshold
-
|
Minimum signal level/threshold in dBm required for the AP response to receive a packet in 5G band(-95 to -20, default = -76).
|
|||
radio-sensitivity
-
|
|
Enable/disable software radio sensitivity (to ignore weak signals) (default = disable).
|
||
radius-mac-auth
-
|
|
Enable/disable RADIUS-based MAC authentication of clients (default = disable).
|
||
radius-mac-auth-server
-
|
RADIUS-based MAC authentication server.
|
|||
radius-mac-auth-usergroups
-
|
Selective user groups that are permitted for RADIUS mac authentication.
|
|||
name
-
/ required
|
User group name.
|
|||
radius-server
-
|
RADIUS server to be used to authenticate WiFi users.
|
|||
rates-11a
-
|
|
Allowed data rates for 802.11a.
|
||
rates-11ac-ss12
-
|
|
Allowed data rates for 802.11ac with 1 or 2 spatial streams.
|
||
rates-11ac-ss34
-
|
|
Allowed data rates for 802.11ac with 3 or 4 spatial streams.
|
||
rates-11bg
-
|
|
Allowed data rates for 802.11b/g.
|
||
rates-11n-ss12
-
|
|
Allowed data rates for 802.11n with 1 or 2 spatial streams.
|
||
rates-11n-ss34
-
|
|
Allowed data rates for 802.11n with 3 or 4 spatial streams.
|
||
schedule
-
|
VAP schedule name.
|
|||
security
-
|
|
Security mode for the wireless interface (default = wpa2-only-personal).
|
||
security-exempt-list
-
|
Optional security exempt list for captive portal authentication.
|
|||
security-obsolete-option
-
|
|
Enable/disable obsolete security options.
|
||
security-redirect-url
-
|
Optional URL for redirecting users after they pass captive portal authentication.
|
|||
selected-usergroups
-
|
Selective user groups that are permitted to authenticate.
|
|||
name
-
/ required
|
User group name.
|
|||
split-tunneling
-
|
|
Enable/disable split tunneling (default = disable).
|
||
ssid
-
|
IEEE 802.11 service set identifier (SSID) for the wireless interface. Users who wish to use the wireless network must configure their computers to access this SSID name.
|
|||
state
-
|
|
Indicates whether to create or remove the object
|
||
tkip-counter-measure
-
|
|
Enable/disable TKIP counter measure.
|
||
usergroup
-
|
Firewall user group to be used to authenticate WiFi users.
|
|||
name
-
/ required
|
User group name.
|
|||
utm-profile
-
|
UTM profile name.
|
|||
vdom
-
|
Name of the VDOM that the Virtual AP has been added to. Source system.vdom.name.
|
|||
vlan-auto
-
|
|
Enable/disable automatic management of SSID VLAN interface.
|
||
vlan-pool
-
|
VLAN pool.
|
|||
id
-
/ required
|
ID.
|
|||
wtp-group
-
|
WTP group name.
|
|||
vlan-pooling
-
|
|
Enable/disable VLAN pooling, to allow grouping of multiple wireless controller VLANs into VLAN pools (default = disable). When set to wtp-group, VLAN pooling occurs with VLAN assignment by wtp-group.
|
||
vlanid
-
|
Optional VLAN ID.
|
|||
voice-enterprise
-
|
|
Enable/disable 802.11k and 802.11v assisted Voice-Enterprise roaming (default = disable).
|
Note
- hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: ""
vdom: "root"
tasks:
- name: Configure Virtual Access Points (VAPs).
fortios_wireless_controller_vap:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
https: "False"
wireless_controller_vap:
state: "present"
acct-interim-interval: "3"
alias: "<your_own_value>"
auth: "psk"
broadcast-ssid: "enable"
broadcast-suppression: "dhcp-up"
captive-portal-ac-name: "<your_own_value>"
captive-portal-macauth-radius-secret: "<your_own_value>"
captive-portal-macauth-radius-server: "<your_own_value>"
captive-portal-radius-secret: "<your_own_value>"
captive-portal-radius-server: "<your_own_value>"
captive-portal-session-timeout-interval: "13"
dhcp-lease-time: "14"
dhcp-option82-circuit-id-insertion: "style-1"
dhcp-option82-insertion: "enable"
dhcp-option82-remote-id-insertion: "style-1"
dynamic-vlan: "enable"
eap-reauth: "enable"
eap-reauth-intv: "20"
eapol-key-retries: "disable"
encrypt: "TKIP"
external-fast-roaming: "enable"
external-logout: "<your_own_value>"
external-web: "<your_own_value>"
fast-bss-transition: "disable"
fast-roaming: "enable"
ft-mobility-domain: "28"
ft-over-ds: "disable"
ft-r0-key-lifetime: "30"
gtk-rekey: "enable"
gtk-rekey-intv: "32"
hotspot20-profile: "<your_own_value>"
intra-vap-privacy: "enable"
ip: "<your_own_value>"
key: "<your_own_value>"
keyindex: "37"
ldpc: "disable"
local-authentication: "enable"
local-bridging: "enable"
local-lan: "allow"
local-standalone: "enable"
local-standalone-nat: "enable"
mac-auth-bypass: "enable"
mac-filter: "enable"
mac-filter-list:
-
id: "47"
mac: "<your_own_value>"
mac-filter-policy: "allow"
mac-filter-policy-other: "allow"
max-clients: "51"
max-clients-ap: "52"
me-disable-thresh: "53"
mesh-backhaul: "enable"
mpsk: "enable"
mpsk-concurrent-clients: "56"
mpsk-key:
-
comment: "Comment."
concurrent-clients: "<your_own_value>"
key-name: "<your_own_value>"
passphrase: "<your_own_value>"
multicast-enhance: "enable"
multicast-rate: "0"
name: "default_name_64"
okc: "disable"
passphrase: "<your_own_value>"
pmf: "disable"
pmf-assoc-comeback-timeout: "68"
pmf-sa-query-retry-timeout: "69"
portal-message-override-group: "<your_own_value>"
portal-message-overrides:
auth-disclaimer-page: "<your_own_value>"
auth-login-failed-page: "<your_own_value>"
auth-login-page: "<your_own_value>"
auth-reject-page: "<your_own_value>"
portal-type: "auth"
probe-resp-suppression: "enable"
probe-resp-threshold: "<your_own_value>"
ptk-rekey: "enable"
ptk-rekey-intv: "80"
qos-profile: "<your_own_value>"
quarantine: "enable"
radio-2g-threshold: "<your_own_value>"
radio-5g-threshold: "<your_own_value>"
radio-sensitivity: "enable"
radius-mac-auth: "enable"
radius-mac-auth-server: "<your_own_value>"
radius-mac-auth-usergroups:
-
name: "default_name_89"
radius-server: "<your_own_value>"
rates-11a: "1"
rates-11ac-ss12: "mcs0/1"
rates-11ac-ss34: "mcs0/3"
rates-11bg: "1"
rates-11n-ss12: "mcs0/1"
rates-11n-ss34: "mcs16/3"
schedule: "<your_own_value>"
security: "open"
security-exempt-list: "<your_own_value>"
security-obsolete-option: "enable"
security-redirect-url: "<your_own_value>"
selected-usergroups:
-
name: "default_name_103"
split-tunneling: "enable"
ssid: "<your_own_value>"
tkip-counter-measure: "enable"
usergroup:
-
name: "default_name_108"
utm-profile: "<your_own_value>"
vdom: "<your_own_value> (source system.vdom.name)"
vlan-auto: "enable"
vlan-pool:
-
id: "113"
wtp-group: "<your_own_value>"
vlan-pooling: "wtp-group"
vlanid: "116"
voice-enterprise: "disable"
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
build
string
|
always |
Build number of the fortigate image
Sample:
1547
|
http_method
string
|
always |
Last method used to provision the content into FortiGate
Sample:
PUT
|
http_status
string
|
always |
Last result given by FortiGate on last operation applied
Sample:
200
|
mkey
string
|
success |
Master key (id) used in the last call to FortiGate
Sample:
id
|
name
string
|
always |
Name of the table used to fulfill the request
Sample:
urlfilter
|
path
string
|
always |
Path of the table used to fulfill the request
Sample:
webfilter
|
revision
string
|
always |
Internal revision number
Sample:
17.0.2.10658
|
serial
string
|
always |
Serial number of the unit
Sample:
FGVMEVYYQT3AB5352
|
status
string
|
always |
Indication of the operation's result
Sample:
success
|
vdom
string
|
always |
Virtual domain used
Sample:
root
|
version
string
|
always |
Version of the FortiGate
Sample:
v5.6.3
|
Hint
If you notice any issues in this documentation you can edit this document to improve it.