fortios_wireless_controller_vap – Configure Virtual Access Points (VAPs) in Fortinet’s FortiOS and FortiGate.¶
New in version 2.8.
Synopsis¶
- This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify wireless_controller feature and vap category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.4.0
Requirements¶
The below requirements are needed on the host that executes this module.
- ansible>=2.9.0
Parameters¶
- access_token - Token-based authentication. Generated from GUI of Fortigate. type: str required: False
- vdom - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. type: str default: root
- state - Indicates whether to create or remove the object. This attribute was present already in previous version in a deeper level. It has been moved out to this outer level. type: str required: False choices: present, absent
- wireless_controller_vap - Configure Virtual Access Points (VAPs). type: dict
- state - B(Deprecated) type: str required: False choices: present, absent
- access_control_list - access-control-list profile name. Source wireless-controller.access-control-list.name. type: str
- address_group - Address group ID. Source wireless-controller.addrgrp.id. type: str
- atf_weight - Airtime weight in percentage . type: int
- auth - Authentication protocol. type: str choices: psk, radius, usergroup
- broadcast_ssid - Enable/disable broadcasting the SSID . type: str choices: enable, disable
- broadcast_suppression - Optional suppression of broadcast messages. For example, you can keep DHCP messages, ARP broadcasts, and so on off of the wireless network. type: str choices: dhcp-up, dhcp-down, dhcp-starvation, dhcp-ucast, arp-known, arp-unknown, arp-reply, arp-poison, arp-proxy, netbios-ns, netbios-ds, ipv6, all-other-mc, all-other-bc
- captive_portal_ac_name - Local-bridging captive portal ac-name. type: str
- captive_portal_auth_timeout - Hard timeout - AP will always clear the session after timeout regardless of traffic (0 - 864000 sec). type: int
- dhcp_lease_time - DHCP lease time in seconds for NAT IP address. type: int
- dhcp_option82_circuit_id_insertion - Enable/disable DHCP option 82 circuit-id insert . type: str choices: style-1, style-2, style-3, disable
- dhcp_option82_insertion - Enable/disable DHCP option 82 insert . type: str choices: enable, disable
- dhcp_option82_remote_id_insertion - Enable/disable DHCP option 82 remote-id insert . type: str choices: style-1, disable
- dynamic_vlan - Enable/disable dynamic VLAN assignment. type: str choices: enable, disable
- eap_reauth - Enable/disable EAP re-authentication for WPA-Enterprise security. type: str choices: enable, disable
- eap_reauth_intv - EAP re-authentication interval (1800 - 864000 sec). type: int
- eapol_key_retries - Enable/disable retransmission of EAPOL-Key frames (message 3/4 and group message 1/2) . type: str choices: disable, enable
- encrypt - Encryption protocol to use (only available when security is set to a WPA type). type: str choices: TKIP, AES, TKIP-AES
- external_fast_roaming - Enable/disable fast roaming or pre-authentication with external APs not managed by the FortiGate . type: str choices: enable, disable
- external_logout - URL of external authentication logout server. type: str
- external_web - URL of external authentication web server. type: str
- external_web_format - URL query parameter detection . type: str choices: auto-detect, no-query-string, partial-query-string
- fast_bss_transition - Enable/disable 802.11r Fast BSS Transition (FT) . type: str choices: disable, enable
- fast_roaming - Enable/disable fast-roaming, or pre-authentication, where supported by clients . type: str choices: enable, disable
- ft_mobility_domain - Mobility domain identifier in FT (1 - 65535). type: int
- ft_over_ds - Enable/disable FT over the Distribution System (DS). type: str choices: disable, enable
- ft_r0_key_lifetime - Lifetime of the PMK-R0 key in FT, 1-65535 minutes. type: int
- gtk_rekey - Enable/disable GTK rekey for WPA security. type: str choices: enable, disable
- gtk_rekey_intv - GTK rekey interval (1800 - 864000 sec). type: int
- high_efficiency - Enable/disable 802.11ax high efficiency . type: str choices: enable, disable
- hotspot20_profile - Hotspot 2.0 profile name. Source wireless-controller.hotspot20.hs-profile.name. type: str
- intra_vap_privacy - Enable/disable blocking communication between clients on the same SSID (called intra-SSID privacy) . type: str choices: enable, disable
- ip - IP address and subnet mask for the local standalone NAT subnet. type: str
- ipv6_rules - Optional rules of IPv6 packets. For example, you can keep RA, RS and so on off of the wireless network. type: str choices: drop-icmp6ra, drop-icmp6rs, drop-llmnr6, drop-icmp6mld2, drop-dhcp6s, drop-dhcp6c, ndp-proxy, drop-ns-dad, drop-ns-nondad
- key - WEP Key. type: str
- keyindex - WEP key index (1 - 4). type: int
- ldpc - VAP low-density parity-check (LDPC) coding configuration. type: str choices: disable, rx, tx, rxtx
- local_authentication - Enable/disable AP local authentication. type: str choices: enable, disable
- local_bridging - Enable/disable bridging of wireless and Ethernet interfaces on the FortiAP . type: str choices: enable, disable
- local_lan - Allow/deny traffic destined for a Class A, B, or C private IP address . type: str choices: allow, deny
- local_standalone - Enable/disable AP local standalone . type: str choices: enable, disable
- local_standalone_nat - Enable/disable AP local standalone NAT mode. type: str choices: enable, disable
- mac_auth_bypass - Enable/disable MAC authentication bypass. type: str choices: enable, disable
- mac_filter - Enable/disable MAC filtering to block wireless clients by mac address. type: str choices: enable, disable
- mac_filter_list - Create a list of MAC addresses for MAC address filtering. type: list
- id - ID. type: int required: True
- mac - MAC address. type: str
- mac_filter_policy - Deny or allow the client with this MAC address. type: str choices: allow, deny
- mac_filter_policy_other - Allow or block clients with MAC addresses that are not in the filter list. type: str choices: allow, deny
- max_clients - Maximum number of clients that can connect simultaneously to the VAP . type: int
- max_clients_ap - Maximum number of clients that can connect simultaneously to the VAP per AP radio . type: int
- me_disable_thresh - Disable multicast enhancement when this many clients are receiving multicast traffic. type: int
- mesh_backhaul - Enable/disable using this VAP as a WiFi mesh backhaul . This entry is only available when security is set to a WPA type or open. type: str choices: enable, disable
- mpsk - Enable/disable multiple PSK authentication. type: str choices: enable, disable
- mpsk_concurrent_clients - Maximum number of concurrent clients that connect using the same passphrase in multiple PSK authentication (0 - 65535). type: int
- mpsk_key - List of multiple PSK entries. type: list
- comment - Comment. type: str
- concurrent_clients - Number of clients that can connect using this pre-shared key. type: str
- key_name - Pre-shared key name. type: str
- mpsk_schedules - Firewall schedule for MPSK passphrase. The passphrase will be effective only when at least one schedule is valid. type: list
- name - Schedule name. Source firewall.schedule.group.name firewall.schedule.recurring.name firewall.schedule.onetime.name. type: str required: True
- passphrase - WPA Pre-shared key. type: str
- mu_mimo - Enable/disable Multi-user MIMO . type: str choices: enable, disable
- multicast_enhance - Enable/disable converting multicast to unicast to improve performance . type: str choices: enable, disable
- multicast_rate - Multicast rate (0, 6000, 12000, or 24000 kbps). type: str choices: 0, 6000, 12000, 24000
- name - Virtual AP name. type: str required: True
- okc - Enable/disable Opportunistic Key Caching (OKC) . type: str choices: disable, enable
- owe_groups - OWE-Groups. type: str choices: 19, 20, 21
- owe_transition - Enable/disable OWE transition mode support. type: str choices: disable, enable
- owe_transition_ssid - OWE transition mode peer SSID. type: str
- passphrase - WPA pre-shared key (PSK) to be used to authenticate WiFi users. type: str
- pmf - Protected Management Frames (PMF) support . type: str choices: disable, enable, optional
- pmf_assoc_comeback_timeout - Protected Management Frames (PMF) comeback maximum timeout (1-20 sec). type: int
- pmf_sa_query_retry_timeout - Protected Management Frames (PMF) SA query retry timeout interval (1 - 5 100s of msec). type: int
- portal_message_override_group - Replacement message group for this VAP (only available when security is set to a captive portal type). Source system.replacemsg-group .name. type: str
- portal_message_overrides - Individual message overrides. type: dict
- auth_disclaimer_page - Override auth-disclaimer-page message with message from portal-message-overrides group. type: str
- auth_login_failed_page - Override auth-login-failed-page message with message from portal-message-overrides group. type: str
- auth_login_page - Override auth-login-page message with message from portal-message-overrides group. type: str
- auth_reject_page - Override auth-reject-page message with message from portal-message-overrides group. type: str
- portal_type - Captive portal functionality. Configure how the captive portal authenticates users and whether it includes a disclaimer. type: str choices: auth, auth+disclaimer, disclaimer, email-collect, cmcc, cmcc-macauth, auth-mac, external-auth
- primary_wag_profile - Primary wireless access gateway profile name. Source wireless-controller.wag-profile.name. type: str
- probe_resp_suppression - Enable/disable probe response suppression (to ignore weak signals) . type: str choices: enable, disable
- probe_resp_threshold - Minimum signal level/threshold in dBm required for the AP response to probe requests (-95 to -20). type: str
- ptk_rekey - Enable/disable PTK rekey for WPA-Enterprise security. type: str choices: enable, disable
- ptk_rekey_intv - PTK rekey interval (1800 - 864000 sec). type: int
- qos_profile - Quality of service profile name. Source wireless-controller.qos-profile.name. type: str
- quarantine - Enable/disable station quarantine . type: str choices: enable, disable
- radio_2g_threshold - Minimum signal level/threshold in dBm required for the AP response to receive a packet in 2.4G band (-95 to -20). type: str
- radio_5g_threshold - Minimum signal level/threshold in dBm required for the AP response to receive a packet in 5G band(-95 to -20). type: str
- radio_sensitivity - Enable/disable software radio sensitivity (to ignore weak signals) . type: str choices: enable, disable
- radius_mac_auth - Enable/disable RADIUS-based MAC authentication of clients . type: str choices: enable, disable
- radius_mac_auth_server - RADIUS-based MAC authentication server. Source user.radius.name. type: str
- radius_mac_auth_usergroups - Selective user groups that are permitted for RADIUS mac authentication. type: list
- name - User group name. type: str required: True
- radius_server - RADIUS server to be used to authenticate WiFi users. Source user.radius.name. type: str
- rates_11a - Allowed data rates for 802.11a. type: str choices: 1, 1-basic, 2, 2-basic, 5.5, 5.5-basic, 11, 11-basic, 6, 6-basic, 9, 9-basic, 12, 12-basic, 18, 18-basic, 24, 24-basic, 36, 36-basic, 48, 48-basic, 54, 54-basic
- rates_11ac_ss12 - Allowed data rates for 802.11ac/ax with 1 or 2 spatial streams. type: str choices: mcs0/1, mcs1/1, mcs2/1, mcs3/1, mcs4/1, mcs5/1, mcs6/1, mcs7/1, mcs8/1, mcs9/1, mcs10/1, mcs11/1, mcs0/2, mcs1/2, mcs2/2, mcs3/2, mcs4/2, mcs5/2, mcs6/2, mcs7/2, mcs8/2, mcs9/2, mcs10/2, mcs11/2
- rates_11ac_ss34 - Allowed data rates for 802.11ac/ax with 3 or 4 spatial streams. type: str choices: mcs0/3, mcs1/3, mcs2/3, mcs3/3, mcs4/3, mcs5/3, mcs6/3, mcs7/3, mcs8/3, mcs9/3, mcs10/3, mcs11/3, mcs0/4, mcs1/4, mcs2/4, mcs3/4, mcs4/4, mcs5/4, mcs6/4, mcs7/4, mcs8/4, mcs9/4, mcs10/4, mcs11/4
- rates_11bg - Allowed data rates for 802.11b/g. type: str choices: 1, 1-basic, 2, 2-basic, 5.5, 5.5-basic, 11, 11-basic, 6, 6-basic, 9, 9-basic, 12, 12-basic, 18, 18-basic, 24, 24-basic, 36, 36-basic, 48, 48-basic, 54, 54-basic
- rates_11n_ss12 - Allowed data rates for 802.11n with 1 or 2 spatial streams. type: str choices: mcs0/1, mcs1/1, mcs2/1, mcs3/1, mcs4/1, mcs5/1, mcs6/1, mcs7/1, mcs8/2, mcs9/2, mcs10/2, mcs11/2, mcs12/2, mcs13/2, mcs14/2, mcs15/2
- rates_11n_ss34 - Allowed data rates for 802.11n with 3 or 4 spatial streams. type: str choices: mcs16/3, mcs17/3, mcs18/3, mcs19/3, mcs20/3, mcs21/3, mcs22/3, mcs23/3, mcs24/4, mcs25/4, mcs26/4, mcs27/4, mcs28/4, mcs29/4, mcs30/4, mcs31/4
- sae_groups - SAE-Groups. type: str choices: 19, 20, 21
- sae_password - WPA3 SAE password to be used to authenticate WiFi users. type: str
- schedule - Firewall schedules for enabling this VAP on the FortiAP. This VAP will be enabled when at least one of the schedules is valid. Separate multiple schedule names with a space. type: list
- name - Schedule name. Source firewall.schedule.group.name firewall.schedule.recurring.name firewall.schedule.onetime.name. type: str required: True
- secondary_wag_profile - Secondary wireless access gateway profile name. Source wireless-controller.wag-profile.name. type: str
- security - Security mode for the wireless interface . type: str choices: open, captive-portal, wep64, wep128, wpa-personal, wpa-personal+captive-portal, wpa-enterprise, wpa-only-personal, wpa-only-personal+captive-portal, wpa-only-enterprise, wpa2-only-personal, wpa2-only-personal+captive-portal, wpa2-only-enterprise, wpa3-enterprise, wpa3-sae, wpa3-sae-transition, owe, osen
- security_exempt_list - Optional security exempt list for captive portal authentication. Source user.security-exempt-list.name. type: str
- security_redirect_url - Optional URL for redirecting users after they pass captive portal authentication. type: str
- selected_usergroups - Selective user groups that are permitted to authenticate. type: list
- name - User group name. Source user.group.name. type: str required: True
- split_tunneling - Enable/disable split tunneling . type: str choices: enable, disable
- ssid - IEEE 802.11 service set identifier (SSID) for the wireless interface. Users who wish to use the wireless network must configure their computers to access this SSID name. type: str
- sticky_client_remove - Enable/disable sticky client remove to maintain good signal level clients in SSID. . type: str choices: enable, disable
- sticky_client_threshold_2g - Minimum signal level/threshold in dBm required for the 2G client to be serviced by the AP (-95 to -20). type: str
- sticky_client_threshold_5g - Minimum signal level/threshold in dBm required for the 5G client to be serviced by the AP (-95 to -20). type: str
- target_wake_time - Enable/disable 802.11ax target wake time . type: str choices: enable, disable
- tkip_counter_measure - Enable/disable TKIP counter measure. type: str choices: enable, disable
- tunnel_echo_interval - The time interval to send echo to both primary and secondary tunnel peers (1 - 65535 sec). type: int
- tunnel_fallback_interval - The time interval for secondary tunnel to fall back to primary tunnel (0 - 65535 sec). type: int
- usergroup - Firewall user group to be used to authenticate WiFi users. type: list
- name - User group name. Source user.group.name. type: str required: True
- utm_profile - UTM profile name. Source wireless-controller.utm-profile.name. type: str
- vlan_auto - Enable/disable automatic management of SSID VLAN interface. type: str choices: enable, disable
- vlan_pool - VLAN pool. type: list
- id - ID. type: int required: True
- wtp_group - WTP group name. Source wireless-controller.wtp-group.name. type: str
- vlan_pooling - Enable/disable VLAN pooling, to allow grouping of multiple wireless controller VLANs into VLAN pools . When set to wtp-group, VLAN pooling occurs with VLAN assignment by wtp-group. type: str choices: wtp-group, round-robin, hash, disable
- vlanid - Optional VLAN ID. type: int
- voice_enterprise - Enable/disable 802.11k and 802.11v assisted Voice-Enterprise roaming . type: str choices: disable, enable
Examples¶
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: Configure Virtual Access Points (VAPs).
fortios_wireless_controller_vap:
vdom: "{{ vdom }}"
state: "present"
access_token: "<your_own_value>"
wireless_controller_vap:
access_control_list: "<your_own_value> (source wireless-controller.access-control-list.name)"
address_group: "<your_own_value> (source wireless-controller.addrgrp.id)"
atf_weight: "5"
auth: "psk"
broadcast_ssid: "enable"
broadcast_suppression: "dhcp-up"
captive_portal_ac_name: "<your_own_value>"
captive_portal_auth_timeout: "10"
dhcp_lease_time: "11"
dhcp_option82_circuit_id_insertion: "style-1"
dhcp_option82_insertion: "enable"
dhcp_option82_remote_id_insertion: "style-1"
dynamic_vlan: "enable"
eap_reauth: "enable"
eap_reauth_intv: "17"
eapol_key_retries: "disable"
encrypt: "TKIP"
external_fast_roaming: "enable"
external_logout: "<your_own_value>"
external_web: "<your_own_value>"
external_web_format: "auto-detect"
fast_bss_transition: "disable"
fast_roaming: "enable"
ft_mobility_domain: "26"
ft_over_ds: "disable"
ft_r0_key_lifetime: "28"
gtk_rekey: "enable"
gtk_rekey_intv: "30"
high_efficiency: "enable"
hotspot20_profile: "<your_own_value> (source wireless-controller.hotspot20.hs-profile.name)"
intra_vap_privacy: "enable"
ip: "<your_own_value>"
ipv6_rules: "drop-icmp6ra"
key: "<your_own_value>"
keyindex: "37"
ldpc: "disable"
local_authentication: "enable"
local_bridging: "enable"
local_lan: "allow"
local_standalone: "enable"
local_standalone_nat: "enable"
mac_auth_bypass: "enable"
mac_filter: "enable"
mac_filter_list:
-
id: "47"
mac: "<your_own_value>"
mac_filter_policy: "allow"
mac_filter_policy_other: "allow"
max_clients: "51"
max_clients_ap: "52"
me_disable_thresh: "53"
mesh_backhaul: "enable"
mpsk: "enable"
mpsk_concurrent_clients: "56"
mpsk_key:
-
comment: "Comment."
concurrent_clients: "<your_own_value>"
key_name: "<your_own_value>"
mpsk_schedules:
-
name: "default_name_62 (source firewall.schedule.group.name firewall.schedule.recurring.name firewall.schedule.onetime.name)"
passphrase: "<your_own_value>"
mu_mimo: "enable"
multicast_enhance: "enable"
multicast_rate: "0"
name: "default_name_67"
okc: "disable"
owe_groups: "19"
owe_transition: "disable"
owe_transition_ssid: "<your_own_value>"
passphrase: "<your_own_value>"
pmf: "disable"
pmf_assoc_comeback_timeout: "74"
pmf_sa_query_retry_timeout: "75"
portal_message_override_group: "<your_own_value> (source system.replacemsg-group.name)"
portal_message_overrides:
auth_disclaimer_page: "<your_own_value>"
auth_login_failed_page: "<your_own_value>"
auth_login_page: "<your_own_value>"
auth_reject_page: "<your_own_value>"
portal_type: "auth"
primary_wag_profile: "<your_own_value> (source wireless-controller.wag-profile.name)"
probe_resp_suppression: "enable"
probe_resp_threshold: "<your_own_value>"
ptk_rekey: "enable"
ptk_rekey_intv: "87"
qos_profile: "<your_own_value> (source wireless-controller.qos-profile.name)"
quarantine: "enable"
radio_2g_threshold: "<your_own_value>"
radio_5g_threshold: "<your_own_value>"
radio_sensitivity: "enable"
radius_mac_auth: "enable"
radius_mac_auth_server: "<your_own_value> (source user.radius.name)"
radius_mac_auth_usergroups:
-
name: "default_name_96"
radius_server: "<your_own_value> (source user.radius.name)"
rates_11a: "1"
rates_11ac_ss12: "mcs0/1"
rates_11ac_ss34: "mcs0/3"
rates_11bg: "1"
rates_11n_ss12: "mcs0/1"
rates_11n_ss34: "mcs16/3"
sae_groups: "19"
sae_password: "<your_own_value>"
schedule:
-
name: "default_name_107 (source firewall.schedule.group.name firewall.schedule.recurring.name firewall.schedule.onetime.name)"
secondary_wag_profile: "<your_own_value> (source wireless-controller.wag-profile.name)"
security: "open"
security_exempt_list: "<your_own_value> (source user.security-exempt-list.name)"
security_redirect_url: "<your_own_value>"
selected_usergroups:
-
name: "default_name_113 (source user.group.name)"
split_tunneling: "enable"
ssid: "<your_own_value>"
sticky_client_remove: "enable"
sticky_client_threshold_2g: "<your_own_value>"
sticky_client_threshold_5g: "<your_own_value>"
target_wake_time: "enable"
tkip_counter_measure: "enable"
tunnel_echo_interval: "121"
tunnel_fallback_interval: "122"
usergroup:
-
name: "default_name_124 (source user.group.name)"
utm_profile: "<your_own_value> (source wireless-controller.utm-profile.name)"
vlan_auto: "enable"
vlan_pool:
-
id: "128"
wtp_group: "<your_own_value> (source wireless-controller.wtp-group.name)"
vlan_pooling: "wtp-group"
vlanid: "131"
voice_enterprise: "disable"
Return Values¶
Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:
- build - Build number of the fortigate image returned: always type: str sample: 1547
- http_method - Last method used to provision the content into FortiGate returned: always type: str sample: PUT
- http_status - Last result given by FortiGate on last operation applied returned: always type: str sample: 200
- mkey - Master key (id) used in the last call to FortiGate returned: success type: str sample: id
- name - Name of the table used to fulfill the request returned: always type: str sample: urlfilter
- path - Path of the table used to fulfill the request returned: always type: str sample: webfilter
- revision - Internal revision number returned: always type: str sample: 17.0.2.10658
- serial - Serial number of the unit returned: always type: str sample: FGVMEVYYQT3AB5352
- status - Indication of the operation's result returned: always type: str sample: success
- vdom - Virtual domain used returned: always type: str sample: root
- version - Version of the FortiGate returned: always type: str sample: v5.6.3