fortinet.fortimanager.fmgr_user_radius – Configure RADIUS server entries.
Note
This plugin is part of the fortinet.fortimanager collection (version 2.0.1).
To install it use: ansible-galaxy collection install fortinet.fortimanager.
To use it in a playbook, specify: fortinet.fortimanager.fmgr_user_radius.
New in version 2.10: of fortinet.fortimanager
Synopsis
- This module is able to configure a FortiManager device.
- Examples include all parameters and values which need to be adjusted to data sources before usage.
Parameters
| Parameter | Choices/Defaults | Comments | |||
|---|---|---|---|---|---|
| adom string / required | the parameter (adom) in requested url | ||||
| bypass_validation boolean |
| only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters | |||
| rc_failed list / elements=string | the rc codes list with which the conditions to fail will be overriden | ||||
| rc_succeeded list / elements=string | the rc codes list with which the conditions to succeed will be overriden | ||||
| state string / required |
| the directive to create, update or delete an object | |||
| user_radius dictionary | the top level parameters set | ||||
| accounting-server list / elements=string | no description | ||||
| id integer | ID (0 - 4294967295). | ||||
| port integer | RADIUS accounting port number. | ||||
| secret string | no description | ||||
| server string | {<name_str|ip_str>} Server CN domain name or IP. | ||||
| source-ip string | Source IP address for communications to the RADIUS server. | ||||
| status string |
| Status. | |||
| acct-all-servers string |
| Enable/disable sending of accounting messages to all configured servers (default = disable). | |||
| acct-interim-interval integer | Time in seconds between each accounting interim update message. | ||||
| all-usergroup string |
| Enable/disable automatically including this RADIUS server in all user groups. | |||
| auth-type string |
| Authentication methods/protocols permitted for this RADIUS server. | |||
| class string | no description | ||||
| dynamic_mapping list / elements=string | no description | ||||
| _scope list / elements=string | no description | ||||
| name string | no description | ||||
| vdom string | no description | ||||
| acct-all-servers string |
| no description | |||
| acct-interim-interval integer | no description | ||||
| all-usergroup string |
| no description | |||
| auth-type string |
| no description | |||
| class string | no description | ||||
| dp-carrier-endpoint-attribute string |
| no description | |||
| dp-carrier-endpoint-block-attribute string |
| no description | |||
| dp-context-timeout integer | no description | ||||
| dp-flush-ip-session string |
| no description | |||
| dp-hold-time integer | no description | ||||
| dp-http-header string | no description | ||||
| dp-http-header-fallback string |
| no description | |||
| dp-http-header-status string |
| no description | |||
| dp-http-header-suppress string |
| no description | |||
| dp-log-dyn_flags list / elements=string |
| no description | |||
| dp-log-period integer | no description | ||||
| dp-mem-percent integer | no description | ||||
| dp-profile-attribute string |
| no description | |||
| dp-profile-attribute-key string | no description | ||||
| dp-radius-response string |
| no description | |||
| dp-radius-server-port integer | no description | ||||
| dp-secret string | no description | ||||
| dp-validate-request-secret string |
| no description | |||
| dynamic-profile string |
| no description | |||
| endpoint-translation string |
| no description | |||
| ep-carrier-endpoint-convert-hex string |
| no description | |||
| ep-carrier-endpoint-header string | no description | ||||
| ep-carrier-endpoint-header-suppress string |
| no description | |||
| ep-carrier-endpoint-prefix string |
| no description | |||
| ep-carrier-endpoint-prefix-range-max integer | no description | ||||
| ep-carrier-endpoint-prefix-range-min integer | no description | ||||
| ep-carrier-endpoint-prefix-string string | no description | ||||
| ep-carrier-endpoint-source string |
| no description | |||
| ep-ip-header string | no description | ||||
| ep-ip-header-suppress string |
| no description | |||
| ep-missing-header-fallback string |
| no description | |||
| ep-profile-query-type string |
| no description | |||
| h3c-compatibility string |
| no description | |||
| nas-ip string | no description | ||||
| password-encoding string |
| no description | |||
| password-renewal string |
| no description | |||
| radius-coa string |
| no description | |||
| radius-port integer | no description | ||||
| rsso string |
| no description | |||
| rsso-context-timeout integer | no description | ||||
| rsso-endpoint-attribute string |
| no description | |||
| rsso-endpoint-block-attribute string |
| no description | |||
| rsso-ep-one-ip-only string |
| no description | |||
| rsso-flush-ip-session string |
| no description | |||
| rsso-log-flags list / elements=string |
| no description | |||
| rsso-log-period integer | no description | ||||
| rsso-radius-response string |
| no description | |||
| rsso-radius-server-port integer | no description | ||||
| rsso-secret string | no description | ||||
| rsso-validate-request-secret string |
| no description | |||
| secondary-secret string | no description | ||||
| secondary-server string | no description | ||||
| secret string | no description | ||||
| server string | no description | ||||
| source-ip string | no description | ||||
| sso-attribute string |
| no description | |||
| sso-attribute-key string | no description | ||||
| sso-attribute-value-override string |
| no description | |||
| tertiary-secret string | no description | ||||
| tertiary-server string | no description | ||||
| timeout integer | no description | ||||
| use-group-for-profile string |
| no description | |||
| use-management-vdom string |
| no description | |||
| username-case-sensitive string |
| no description | |||
| h3c-compatibility string |
| Enable/disable compatibility with the H3C, a mechanism that performs security checking for authentication. | |||
| name string | RADIUS server entry name. | ||||
| nas-ip string | IP address used to communicate with the RADIUS server and used as NAS-IP-Address and Called-Station-ID attributes. | ||||
| password-encoding string |
| Password encoding. | |||
| password-renewal string |
| Enable/disable password renewal. | |||
| radius-coa string |
| Enable to allow a mechanism to change the attributes of an authentication, authorization, and accounting session after it is a... | |||
| radius-port integer | RADIUS service port number. | ||||
| rsso string |
| Enable/disable RADIUS based single sign on feature. | |||
| rsso-context-timeout integer | Time in seconds before the logged out user is removed from the "user context list" of logged on users. | ||||
| rsso-endpoint-attribute string |
| RADIUS attributes used to extract the user end point identifer from the RADIUS Start record. | |||
| rsso-endpoint-block-attribute string |
| RADIUS attributes used to block a user. | |||
| rsso-ep-one-ip-only string |
| Enable/disable the replacement of old IP addresses with new ones for the same endpoint on RADIUS accounting Start messages. | |||
| rsso-flush-ip-session string |
| Enable/disable flushing user IP sessions on RADIUS accounting Stop messages. | |||
| rsso-log-flags list / elements=string |
| no description | |||
| rsso-log-period integer | Time interval in seconds that group event log messages will be generated for dynamic profile events. | ||||
| rsso-radius-response string |
| Enable/disable sending RADIUS response packets after receiving Start and Stop records. | |||
| rsso-radius-server-port integer | UDP port to listen on for RADIUS Start and Stop records. | ||||
| rsso-secret string | no description | ||||
| rsso-validate-request-secret string |
| Enable/disable validating the RADIUS request shared secret in the Start or End record. | |||
| secondary-secret string | no description | ||||
| secondary-server string | {<name_str|ip_str>} secondary RADIUS CN domain name or IP. | ||||
| secret string | no description | ||||
| server string | Primary RADIUS server CN domain name or IP address. | ||||
| source-ip string | Source IP address for communications to the RADIUS server. | ||||
| sso-attribute string |
| RADIUS attribute that contains the profile group name to be extracted from the RADIUS Start record. | |||
| sso-attribute-key string | Key prefix for SSO group value in the SSO attribute. | ||||
| sso-attribute-value-override string |
| Enable/disable override old attribute value with new value for the same endpoint. | |||
| tertiary-secret string | no description | ||||
| tertiary-server string | {<name_str|ip_str>} tertiary RADIUS CN domain name or IP. | ||||
| timeout integer | Time in seconds between re-sending authentication requests. | ||||
| use-management-vdom string |
| Enable/disable using management VDOM to send requests. | |||
| username-case-sensitive string |
| Enable/disable case sensitive user names. | |||
| workspace_locking_adom string | the adom to lock for FortiManager running in workspace mode, the value can be global and others including root | ||||
| workspace_locking_timeout integer | Default: 300 | the maximum time in seconds to wait for other user to release the workspace lock | |||
Notes
Note
- Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work.
- To create or update an object, use state present directive.
- To delete an object, use state absent directive.
- Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded
Examples
- hosts: fortimanager-inventory
collections:
- fortinet.fortimanager
connection: httpapi
vars:
ansible_httpapi_use_ssl: True
ansible_httpapi_validate_certs: False
ansible_httpapi_port: 443
tasks:
- name: Configure RADIUS server entries.
fmgr_user_radius:
bypass_validation: False
workspace_locking_adom: <value in [global, custom adom including root]>
workspace_locking_timeout: 300
rc_succeeded: [0, -2, -3, ...]
rc_failed: [-2, -3, ...]
adom: <your own value>
state: <value in [present, absent]>
user_radius:
accounting-server:
-
id: <value of integer>
port: <value of integer>
secret: <value of string>
server: <value of string>
source-ip: <value of string>
status: <value in [disable, enable]>
acct-all-servers: <value in [disable, enable]>
acct-interim-interval: <value of integer>
all-usergroup: <value in [disable, enable]>
auth-type: <value in [pap, chap, ms_chap, ...]>
class: <value of string>
dynamic_mapping:
-
_scope:
-
name: <value of string>
vdom: <value of string>
acct-all-servers: <value in [disable, enable]>
acct-interim-interval: <value of integer>
all-usergroup: <value in [disable, enable]>
auth-type: <value in [pap, chap, ms_chap, ...]>
class: <value of string>
dp-carrier-endpoint-attribute: <value in [User-Name, User-Password, CHAP-Password, ...]>
dp-carrier-endpoint-block-attribute: <value in [User-Name, User-Password, CHAP-Password, ...]>
dp-context-timeout: <value of integer>
dp-flush-ip-session: <value in [disable, enable]>
dp-hold-time: <value of integer>
dp-http-header: <value of string>
dp-http-header-fallback: <value in [ip-header-address, default-profile]>
dp-http-header-status: <value in [disable, enable]>
dp-http-header-suppress: <value in [disable, enable]>
dp-log-dyn_flags:
- none
- protocol-error
- profile-missing
- context-missing
- accounting-stop-missed
- accounting-event
- radiusd-other
- endpoint-block
dp-log-period: <value of integer>
dp-mem-percent: <value of integer>
dp-profile-attribute: <value in [User-Name, User-Password, CHAP-Password, ...]>
dp-profile-attribute-key: <value of string>
dp-radius-response: <value in [disable, enable]>
dp-radius-server-port: <value of integer>
dp-secret: <value of string>
dp-validate-request-secret: <value in [disable, enable]>
dynamic-profile: <value in [disable, enable]>
endpoint-translation: <value in [disable, enable]>
ep-carrier-endpoint-convert-hex: <value in [disable, enable]>
ep-carrier-endpoint-header: <value of string>
ep-carrier-endpoint-header-suppress: <value in [disable, enable]>
ep-carrier-endpoint-prefix: <value in [disable, enable]>
ep-carrier-endpoint-prefix-range-max: <value of integer>
ep-carrier-endpoint-prefix-range-min: <value of integer>
ep-carrier-endpoint-prefix-string: <value of string>
ep-carrier-endpoint-source: <value in [http-header, cookie]>
ep-ip-header: <value of string>
ep-ip-header-suppress: <value in [disable, enable]>
ep-missing-header-fallback: <value in [session-ip, policy-profile]>
ep-profile-query-type: <value in [session-ip, extract-ip, extract-carrier-endpoint]>
h3c-compatibility: <value in [disable, enable]>
nas-ip: <value of string>
password-encoding: <value in [ISO-8859-1, auto]>
password-renewal: <value in [disable, enable]>
radius-coa: <value in [disable, enable]>
radius-port: <value of integer>
rsso: <value in [disable, enable]>
rsso-context-timeout: <value of integer>
rsso-endpoint-attribute: <value in [User-Name, User-Password, CHAP-Password, ...]>
rsso-endpoint-block-attribute: <value in [User-Name, User-Password, CHAP-Password, ...]>
rsso-ep-one-ip-only: <value in [disable, enable]>
rsso-flush-ip-session: <value in [disable, enable]>
rsso-log-flags:
- none
- protocol-error
- profile-missing
- context-missing
- accounting-stop-missed
- accounting-event
- radiusd-other
- endpoint-block
rsso-log-period: <value of integer>
rsso-radius-response: <value in [disable, enable]>
rsso-radius-server-port: <value of integer>
rsso-secret: <value of string>
rsso-validate-request-secret: <value in [disable, enable]>
secondary-secret: <value of string>
secondary-server: <value of string>
secret: <value of string>
server: <value of string>
source-ip: <value of string>
sso-attribute: <value in [User-Name, User-Password, CHAP-Password, ...]>
sso-attribute-key: <value of string>
sso-attribute-value-override: <value in [disable, enable]>
tertiary-secret: <value of string>
tertiary-server: <value of string>
timeout: <value of integer>
use-group-for-profile: <value in [disable, enable]>
use-management-vdom: <value in [disable, enable]>
username-case-sensitive: <value in [disable, enable]>
h3c-compatibility: <value in [disable, enable]>
name: <value of string>
nas-ip: <value of string>
password-encoding: <value in [ISO-8859-1, auto]>
password-renewal: <value in [disable, enable]>
radius-coa: <value in [disable, enable]>
radius-port: <value of integer>
rsso: <value in [disable, enable]>
rsso-context-timeout: <value of integer>
rsso-endpoint-attribute: <value in [User-Name, User-Password, CHAP-Password, ...]>
rsso-endpoint-block-attribute: <value in [User-Name, User-Password, CHAP-Password, ...]>
rsso-ep-one-ip-only: <value in [disable, enable]>
rsso-flush-ip-session: <value in [disable, enable]>
rsso-log-flags:
- none
- protocol-error
- profile-missing
- context-missing
- accounting-stop-missed
- accounting-event
- radiusd-other
- endpoint-block
rsso-log-period: <value of integer>
rsso-radius-response: <value in [disable, enable]>
rsso-radius-server-port: <value of integer>
rsso-secret: <value of string>
rsso-validate-request-secret: <value in [disable, enable]>
secondary-secret: <value of string>
secondary-server: <value of string>
secret: <value of string>
server: <value of string>
source-ip: <value of string>
sso-attribute: <value in [User-Name, User-Password, CHAP-Password, ...]>
sso-attribute-key: <value of string>
sso-attribute-value-override: <value in [disable, enable]>
tertiary-secret: <value of string>
tertiary-server: <value of string>
timeout: <value of integer>
use-management-vdom: <value in [disable, enable]>
username-case-sensitive: <value in [disable, enable]>
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| request_url string | always | The full url requested Sample: /sys/login/user |
| response_code integer | always | The status of api request |
| response_message string | always | The descriptive message of the api response Sample: OK. |
Authors
- Link Zheng (@chillancezen)
- Jie Xue (@JieX19)
- Frank Shen (@fshen01)
- Hongbin Lu (@fgtdev-hblu)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.11/collections/fortinet/fortimanager/fmgr_user_radius_module.html