fortinet.fortios.fortios_wireless_controller_vap – Configure Virtual Access Points (VAPs) in Fortinet’s FortiOS and FortiGate.
Note
This plugin is part of the fortinet.fortios collection (version 2.1.2).
You might already have this collection installed if you are using the ansible
package. It is not included in ansible-core
. To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install fortinet.fortios
.
To use it in a playbook, specify: fortinet.fortios.fortios_wireless_controller_vap
.
New in version 2.10: of fortinet.fortios
Synopsis
- This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify wireless_controller feature and vap category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
Requirements
The below requirements are needed on the host that executes this module.
- ansible>=2.9.0
Parameters
Parameter | Choices/Defaults | Comments | |||
---|---|---|---|---|---|
access_token string | Token-based authentication. Generated from GUI of Fortigate. | ||||
enable_log boolean |
| Enable/Disable logging for task. | |||
state string / required |
| Indicates whether to create or remove the object. | |||
vdom string | Default: "root" | Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. | |||
wireless_controller_vap dictionary | Configure Virtual Access Points (VAPs). | ||||
access_control_list string | access-control-list profile name. Source wireless-controller.access-control-list.name. | ||||
acct_interim_interval integer | WiFi RADIUS accounting interim interval (60 - 86400 sec). | ||||
additional_akms list / elements=string |
| Additional AKMs. | |||
address_group string | Address group ID. Source wireless-controller.addrgrp.id. | ||||
alias string | Alias. | ||||
atf_weight integer | Airtime weight in percentage . | ||||
auth string |
| Authentication protocol. | |||
broadcast_ssid string |
| Enable/disable broadcasting the SSID . | |||
broadcast_suppression list / elements=string |
| Optional suppression of broadcast messages. For example, you can keep DHCP messages, ARP broadcasts, and so on off of the wireless network. | |||
bss_color_partial string |
| Enable/disable 802.11ax partial BSS color . | |||
bstm_disassociation_imminent string |
| Enable/disable forcing of disassociation after the BSTM request timer has been reached . | |||
bstm_load_balancing_disassoc_timer integer | Time interval for client to voluntarily leave AP before forcing a disassociation due to AP load-balancing (0 to 30). | ||||
bstm_rssi_disassoc_timer integer | Time interval for client to voluntarily leave AP before forcing a disassociation due to low RSSI (0 to 2000). | ||||
captive_portal_ac_name string | Local-bridging captive portal ac-name. | ||||
captive_portal_auth_timeout integer | Hard timeout - AP will always clear the session after timeout regardless of traffic (0 - 864000 sec). | ||||
captive_portal_macauth_radius_secret string | Secret key to access the macauth RADIUS server. | ||||
captive_portal_macauth_radius_server string | Captive portal external RADIUS server domain name or IP address. | ||||
captive_portal_radius_secret string | Secret key to access the RADIUS server. | ||||
captive_portal_radius_server string | Captive portal RADIUS server domain name or IP address. | ||||
captive_portal_session_timeout_interval integer | Session timeout interval (0 - 864000 sec). | ||||
dhcp_address_enforcement string |
| Enable/disable DHCP address enforcement . | |||
dhcp_lease_time integer | DHCP lease time in seconds for NAT IP address. | ||||
dhcp_option43_insertion string |
| Enable/disable insertion of DHCP option 43 . | |||
dhcp_option82_circuit_id_insertion string |
| Enable/disable DHCP option 82 circuit-id insert . | |||
dhcp_option82_insertion string |
| Enable/disable DHCP option 82 insert . | |||
dhcp_option82_remote_id_insertion string |
| Enable/disable DHCP option 82 remote-id insert . | |||
dynamic_vlan string |
| Enable/disable dynamic VLAN assignment. | |||
eap_reauth string |
| Enable/disable EAP re-authentication for WPA-Enterprise security. | |||
eap_reauth_intv integer | EAP re-authentication interval (1800 - 864000 sec). | ||||
eapol_key_retries string |
| Enable/disable retransmission of EAPOL-Key frames (message 3/4 and group message 1/2) . | |||
encrypt string |
| Encryption protocol to use (only available when security is set to a WPA type). | |||
external_fast_roaming string |
| Enable/disable fast roaming or pre-authentication with external APs not managed by the FortiGate . | |||
external_logout string | URL of external authentication logout server. | ||||
external_web string | URL of external authentication web server. | ||||
external_web_format string |
| URL query parameter detection . | |||
fast_bss_transition string |
| Enable/disable 802.11r Fast BSS Transition (FT) . | |||
fast_roaming string |
| Enable/disable fast-roaming, or pre-authentication, where supported by clients . | |||
ft_mobility_domain integer | Mobility domain identifier in FT (1 - 65535). | ||||
ft_over_ds string |
| Enable/disable FT over the Distribution System (DS). | |||
ft_r0_key_lifetime integer | Lifetime of the PMK-R0 key in FT, 1-65535 minutes. | ||||
gas_comeback_delay integer | GAS comeback delay (0 or 100 - 10000 milliseconds). | ||||
gas_fragmentation_limit integer | GAS fragmentation limit (512 - 4096). | ||||
gtk_rekey string |
| Enable/disable GTK rekey for WPA security. | |||
gtk_rekey_intv integer | GTK rekey interval (1800 - 864000 sec). | ||||
high_efficiency string |
| Enable/disable 802.11ax high efficiency . | |||
hotspot20_profile string | Hotspot 2.0 profile name. Source wireless-controller.hotspot20.hs-profile.name. | ||||
igmp_snooping string |
| Enable/disable IGMP snooping. | |||
intra_vap_privacy string |
| Enable/disable blocking communication between clients on the same SSID (called intra-SSID privacy) . | |||
ip string | IP address and subnet mask for the local standalone NAT subnet. | ||||
ipv6_rules list / elements=string |
| Optional rules of IPv6 packets. For example, you can keep RA, RS and so on off of the wireless network. | |||
key string | WEP Key. | ||||
keyindex integer | WEP key index (1 - 4). | ||||
ldpc string |
| VAP low-density parity-check (LDPC) coding configuration. | |||
local_authentication string |
| Enable/disable AP local authentication. | |||
local_bridging string |
| Enable/disable bridging of wireless and Ethernet interfaces on the FortiAP . | |||
local_lan string |
| Allow/deny traffic destined for a Class A, B, or C private IP address . | |||
local_standalone string |
| Enable/disable AP local standalone . | |||
local_standalone_nat string |
| Enable/disable AP local standalone NAT mode. | |||
mac_auth_bypass string |
| Enable/disable MAC authentication bypass. | |||
mac_called_station_delimiter string |
| MAC called station delimiter . | |||
mac_calling_station_delimiter string |
| MAC calling station delimiter . | |||
mac_case string |
| MAC case . | |||
mac_filter string |
| Enable/disable MAC filtering to block wireless clients by mac address. | |||
mac_filter_list list / elements=string | Create a list of MAC addresses for MAC address filtering. | ||||
id integer / required | ID. | ||||
mac string | MAC address. | ||||
mac_filter_policy string |
| Deny or allow the client with this MAC address. | |||
mac_filter_policy_other string |
| Allow or block clients with MAC addresses that are not in the filter list. | |||
mac_password_delimiter string |
| MAC authentication password delimiter . | |||
mac_username_delimiter string |
| MAC authentication username delimiter . | |||
max_clients integer | Maximum number of clients that can connect simultaneously to the VAP . | ||||
max_clients_ap integer | Maximum number of clients that can connect simultaneously to each radio . | ||||
mbo string |
| Enable/disable Multiband Operation . | |||
mbo_cell_data_conn_pref string |
| MBO cell data connection preference (0, 1, or 255). | |||
me_disable_thresh integer | Disable multicast enhancement when this many clients are receiving multicast traffic. | ||||
mesh_backhaul string |
| Enable/disable using this VAP as a WiFi mesh backhaul . This entry is only available when security is set to a WPA type or open. | |||
mpsk string |
| Enable/disable multiple pre-shared keys (PSKs.) | |||
mpsk_concurrent_clients integer | Number of pre-shared keys (PSKs) to allow if multiple pre-shared keys are enabled. | ||||
mpsk_key list / elements=string | Pre-shared keys that can be used to connect to this virtual access point. | ||||
comment string | Comment. | ||||
concurrent_clients string | Number of clients that can connect using this pre-shared key. | ||||
key_name string | Pre-shared key name. | ||||
mpsk_schedules list / elements=string | Firewall schedule for MPSK passphrase. The passphrase will be effective only when at least one schedule is valid. | ||||
name string / required | Schedule name. Source firewall.schedule.group.name firewall.schedule.recurring.name firewall.schedule.onetime.name. | ||||
passphrase string | WPA Pre-shared key. | ||||
mpsk_profile string | MPSK profile name. Source wireless-controller.mpsk-profile.name. | ||||
mu_mimo string |
| Enable/disable Multi-user MIMO . | |||
multicast_enhance string |
| Enable/disable converting multicast to unicast to improve performance . | |||
multicast_rate string |
| Multicast rate (0, 6000, 12000, or 24000 kbps). | |||
nac string |
| Enable/disable network access control. | |||
nac_profile string | NAC profile name. Source wireless-controller.nac-profile.name. | ||||
name string / required | Virtual AP name. | ||||
neighbor_report_dual_band string |
| Enable/disable dual-band neighbor report . | |||
okc string |
| Enable/disable Opportunistic Key Caching (OKC) . | |||
owe_groups list / elements=string |
| OWE-Groups. | |||
owe_transition string |
| Enable/disable OWE transition mode support. | |||
owe_transition_ssid string | OWE transition mode peer SSID. | ||||
passphrase string | WPA pre-shard key (PSK) to be used to authenticate WiFi users. | ||||
pmf string |
| Protected Management Frames (PMF) support . | |||
pmf_assoc_comeback_timeout integer | Protected Management Frames (PMF) comeback maximum timeout (1-20 sec). | ||||
pmf_sa_query_retry_timeout integer | Protected Management Frames (PMF) SA query retry timeout interval (1 - 5 100s of msec). | ||||
port_macauth string |
| Enable/disable LAN port MAC authentication . | |||
port_macauth_reauth_timeout integer | LAN port MAC authentication re-authentication timeout value . | ||||
port_macauth_timeout integer | LAN port MAC authentication idle timeout value . | ||||
portal_message_override_group string | Replacement message group for this VAP (only available when security is set to a captive portal type). Source system.replacemsg-group .name. | ||||
portal_message_overrides dictionary | Individual message overrides. | ||||
auth_disclaimer_page string | Override auth-disclaimer-page message with message from portal-message-overrides group. | ||||
auth_login_failed_page string | Override auth-login-failed-page message with message from portal-message-overrides group. | ||||
auth_login_page string | Override auth-login-page message with message from portal-message-overrides group. | ||||
auth_reject_page string | Override auth-reject-page message with message from portal-message-overrides group. | ||||
portal_type string |
| Captive portal functionality. Configure how the captive portal authenticates users and whether it includes a disclaimer. | |||
primary_wag_profile string | Primary wireless access gateway profile name. Source wireless-controller.wag-profile.name. | ||||
probe_resp_suppression string |
| Enable/disable probe response suppression (to ignore weak signals) . | |||
probe_resp_threshold string | Minimum signal level/threshold in dBm required for the AP response to probe requests (-95 to -20). | ||||
ptk_rekey string |
| Enable/disable PTK rekey for WPA-Enterprise security. | |||
ptk_rekey_intv integer | PTK rekey interval (1800 - 864000 sec). | ||||
qos_profile string | Quality of service profile name. Source wireless-controller.qos-profile.name. | ||||
quarantine string |
| Enable/disable station quarantine . | |||
radio_2g_threshold string | Minimum signal level/threshold in dBm required for the AP response to receive a packet in 2.4G band (-95 to -20). | ||||
radio_5g_threshold string | Minimum signal level/threshold in dBm required for the AP response to receive a packet in 5G band(-95 to -20). | ||||
radio_sensitivity string |
| Enable/disable software radio sensitivity (to ignore weak signals) . | |||
radius_mac_auth string |
| Enable/disable RADIUS-based MAC authentication of clients . | |||
radius_mac_auth_server string | RADIUS-based MAC authentication server. Source user.radius.name. | ||||
radius_mac_auth_usergroups list / elements=string | Selective user groups that are permitted for RADIUS mac authentication. | ||||
name string / required | User group name. | ||||
radius_server string | RADIUS server to be used to authenticate WiFi users. Source user.radius.name. | ||||
rates_11a list / elements=string |
| Allowed data rates for 802.11a. | |||
rates_11ac_ss12 list / elements=string |
| Allowed data rates for 802.11ac with 1 or 2 spatial streams. | |||
rates_11ac_ss34 list / elements=string |
| Allowed data rates for 802.11ac with 3 or 4 spatial streams. | |||
rates_11bg list / elements=string |
| Allowed data rates for 802.11b/g. | |||
rates_11n_ss12 list / elements=string |
| Allowed data rates for 802.11n with 1 or 2 spatial streams. | |||
rates_11n_ss34 list / elements=string |
| Allowed data rates for 802.11n with 3 or 4 spatial streams. | |||
sae_groups list / elements=string |
| SAE-Groups. | |||
sae_password string | WPA3 SAE password to be used to authenticate WiFi users. | ||||
schedule string | VAP schedule name. | ||||
secondary_wag_profile string | Secondary wireless access gateway profile name. Source wireless-controller.wag-profile.name. | ||||
security string |
| Security mode for the wireless interface . | |||
security_exempt_list string | Optional security exempt list for captive portal authentication. Source user.security-exempt-list.name. | ||||
security_obsolete_option string |
| Enable/disable obsolete security options. | |||
security_redirect_url string | Optional URL for redirecting users after they pass captive portal authentication. | ||||
selected_usergroups list / elements=string | Selective user groups that are permitted to authenticate. | ||||
name string / required | User group name. Source user.group.name. | ||||
split_tunneling string |
| Enable/disable split tunneling . | |||
ssid string | IEEE 802.11 service set identifier (SSID) for the wireless interface. Users who wish to use the wireless network must configure their computers to access this SSID name. | ||||
sticky_client_remove string |
| Enable/disable sticky client remove to maintain good signal level clients in SSID. . | |||
sticky_client_threshold_2g string | Minimum signal level/threshold in dBm required for the 2G client to be serviced by the AP (-95 to -20). | ||||
sticky_client_threshold_5g string | Minimum signal level/threshold in dBm required for the 5G client to be serviced by the AP (-95 to -20). | ||||
target_wake_time string |
| Enable/disable 802.11ax target wake time . | |||
tkip_counter_measure string |
| Enable/disable TKIP counter measure. | |||
tunnel_echo_interval integer | The time interval to send echo to both primary and secondary tunnel peers (1 - 65535 sec). | ||||
tunnel_fallback_interval integer | The time interval for secondary tunnel to fall back to primary tunnel (0 - 65535 sec). | ||||
usergroup list / elements=string | Firewall user group to be used to authenticate WiFi users. | ||||
name string / required | User group name. Source user.group.name. | ||||
utm_profile string | UTM profile name. Source wireless-controller.utm-profile.name. | ||||
vdom string | Name of the VDOM that the Virtual AP has been added to. Source system.vdom.name. | ||||
vlan_auto string |
| Enable/disable automatic management of SSID VLAN interface. | |||
vlan_pool list / elements=string | VLAN pool. | ||||
id integer / required | ID. | ||||
wtp_group string | WTP group name. Source wireless-controller.wtp-group.name. | ||||
vlan_pooling string |
| Enable/disable VLAN pooling, to allow grouping of multiple wireless controller VLANs into VLAN pools . When set to wtp-group, VLAN pooling occurs with VLAN assignment by wtp-group. | |||
vlanid integer | Optional VLAN ID. | ||||
voice_enterprise string |
| Enable/disable 802.11k and 802.11v assisted Voice-Enterprise roaming . |
Notes
Note
- Legacy fortiosapi has been deprecated, httpapi is the preferred way to run playbooks
Examples
- hosts: fortigates collections: - fortinet.fortios connection: httpapi vars: vdom: "root" ansible_httpapi_use_ssl: yes ansible_httpapi_validate_certs: no ansible_httpapi_port: 443 tasks: - name: Configure Virtual Access Points (VAPs). fortios_wireless_controller_vap: vdom: "{{ vdom }}" state: "present" access_token: "<your_own_value>" wireless_controller_vap: access_control_list: "<your_own_value> (source wireless-controller.access-control-list.name)" acct_interim_interval: "4" additional_akms: "akm6" address_group: "<your_own_value> (source wireless-controller.addrgrp.id)" alias: "<your_own_value>" atf_weight: "8" auth: "psk" broadcast_ssid: "enable" broadcast_suppression: "dhcp-up" bss_color_partial: "enable" bstm_disassociation_imminent: "enable" bstm_load_balancing_disassoc_timer: "14" bstm_rssi_disassoc_timer: "15" captive_portal_ac_name: "<your_own_value>" captive_portal_auth_timeout: "17" captive_portal_macauth_radius_secret: "<your_own_value>" captive_portal_macauth_radius_server: "<your_own_value>" captive_portal_radius_secret: "<your_own_value>" captive_portal_radius_server: "<your_own_value>" captive_portal_session_timeout_interval: "22" dhcp_address_enforcement: "enable" dhcp_lease_time: "24" dhcp_option43_insertion: "enable" dhcp_option82_circuit_id_insertion: "style-1" dhcp_option82_insertion: "enable" dhcp_option82_remote_id_insertion: "style-1" dynamic_vlan: "enable" eap_reauth: "enable" eap_reauth_intv: "31" eapol_key_retries: "disable" encrypt: "TKIP" external_fast_roaming: "enable" external_logout: "<your_own_value>" external_web: "<your_own_value>" external_web_format: "auto-detect" fast_bss_transition: "disable" fast_roaming: "enable" ft_mobility_domain: "40" ft_over_ds: "disable" ft_r0_key_lifetime: "42" gas_comeback_delay: "43" gas_fragmentation_limit: "44" gtk_rekey: "enable" gtk_rekey_intv: "46" high_efficiency: "enable" hotspot20_profile: "<your_own_value> (source wireless-controller.hotspot20.hs-profile.name)" igmp_snooping: "enable" intra_vap_privacy: "enable" ip: "<your_own_value>" ipv6_rules: "drop-icmp6ra" key: "<your_own_value>" keyindex: "54" ldpc: "disable" local_authentication: "enable" local_bridging: "enable" local_lan: "allow" local_standalone: "enable" local_standalone_nat: "enable" mac_auth_bypass: "enable" mac_called_station_delimiter: "hyphen" mac_calling_station_delimiter: "hyphen" mac_case: "uppercase" mac_filter: "enable" mac_filter_list: - id: "67" mac: "<your_own_value>" mac_filter_policy: "allow" mac_filter_policy_other: "allow" mac_password_delimiter: "hyphen" mac_username_delimiter: "hyphen" max_clients: "73" max_clients_ap: "74" mbo: "disable" mbo_cell_data_conn_pref: "excluded" me_disable_thresh: "77" mesh_backhaul: "enable" mpsk: "enable" mpsk_concurrent_clients: "80" mpsk_key: - comment: "Comment." concurrent_clients: "<your_own_value>" key_name: "<your_own_value>" mpsk_schedules: - name: "default_name_86 (source firewall.schedule.group.name firewall.schedule.recurring.name firewall.schedule.onetime.name)" passphrase: "<your_own_value>" mpsk_profile: "<your_own_value> (source wireless-controller.mpsk-profile.name)" mu_mimo: "enable" multicast_enhance: "enable" multicast_rate: "0" nac: "enable" nac_profile: "<your_own_value> (source wireless-controller.nac-profile.name)" name: "default_name_94" neighbor_report_dual_band: "disable" okc: "disable" owe_groups: "19" owe_transition: "disable" owe_transition_ssid: "<your_own_value>" passphrase: "<your_own_value>" pmf: "disable" pmf_assoc_comeback_timeout: "102" pmf_sa_query_retry_timeout: "103" port_macauth: "disable" port_macauth_reauth_timeout: "105" port_macauth_timeout: "106" portal_message_override_group: "<your_own_value> (source system.replacemsg-group.name)" portal_message_overrides: auth_disclaimer_page: "<your_own_value>" auth_login_failed_page: "<your_own_value>" auth_login_page: "<your_own_value>" auth_reject_page: "<your_own_value>" portal_type: "auth" primary_wag_profile: "<your_own_value> (source wireless-controller.wag-profile.name)" probe_resp_suppression: "enable" probe_resp_threshold: "<your_own_value>" ptk_rekey: "enable" ptk_rekey_intv: "118" qos_profile: "<your_own_value> (source wireless-controller.qos-profile.name)" quarantine: "enable" radio_2g_threshold: "<your_own_value>" radio_5g_threshold: "<your_own_value>" radio_sensitivity: "enable" radius_mac_auth: "enable" radius_mac_auth_server: "<your_own_value> (source user.radius.name)" radius_mac_auth_usergroups: - name: "default_name_127" radius_server: "<your_own_value> (source user.radius.name)" rates_11a: "1" rates_11ac_ss12: "mcs0/1" rates_11ac_ss34: "mcs0/3" rates_11bg: "1" rates_11n_ss12: "mcs0/1" rates_11n_ss34: "mcs16/3" sae_groups: "19" sae_password: "<your_own_value>" schedule: "<your_own_value>" secondary_wag_profile: "<your_own_value> (source wireless-controller.wag-profile.name)" security: "open" security_exempt_list: "<your_own_value> (source user.security-exempt-list.name)" security_obsolete_option: "enable" security_redirect_url: "<your_own_value>" selected_usergroups: - name: "default_name_144 (source user.group.name)" split_tunneling: "enable" ssid: "<your_own_value>" sticky_client_remove: "enable" sticky_client_threshold_2g: "<your_own_value>" sticky_client_threshold_5g: "<your_own_value>" target_wake_time: "enable" tkip_counter_measure: "enable" tunnel_echo_interval: "152" tunnel_fallback_interval: "153" usergroup: - name: "default_name_155 (source user.group.name)" utm_profile: "<your_own_value> (source wireless-controller.utm-profile.name)" vdom: "<your_own_value> (source system.vdom.name)" vlan_auto: "enable" vlan_pool: - id: "160" wtp_group: "<your_own_value> (source wireless-controller.wtp-group.name)" vlan_pooling: "wtp-group" vlanid: "163" voice_enterprise: "disable"
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
build string | always | Build number of the fortigate image Sample: 1547 |
http_method string | always | Last method used to provision the content into FortiGate Sample: PUT |
http_status string | always | Last result given by FortiGate on last operation applied Sample: 200 |
mkey string | success | Master key (id) used in the last call to FortiGate Sample: id |
name string | always | Name of the table used to fulfill the request Sample: urlfilter |
path string | always | Path of the table used to fulfill the request Sample: webfilter |
revision string | always | Internal revision number Sample: 17.0.2.10658 |
serial string | always | Serial number of the unit Sample: FGVMEVYYQT3AB5352 |
status string | always | Indication of the operation's result Sample: success |
vdom string | always | Virtual domain used Sample: root |
version string | always | Version of the FortiGate Sample: v5.6.3 |
Authors
- Link Zheng (@chillancezen)
- Jie Xue (@JieX19)
- Hongbin Lu (@fgtdev-hblu)
- Frank Shen (@frankshen01)
- Miguel Angel Munoz (@mamunozgonzalez)
- Nicolas Thomas (@thomnico)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/fortinet/fortios/fortios_wireless_controller_vap_module.html