fortios_wireless_controller_vap – Configure Virtual Access Points (VAPs) in Fortinet’s FortiOS and FortiGate¶
New in version 2.8.
Synopsis¶
This module is able to configure a FortiGate or FortiOS by allowing the user to set and modify wireless_controller feature and vap category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.2
Requirements¶
The below requirements are needed on the host that executes this module.
fortiosapi>=0.9.8
Parameters¶
| Parameter | Choices/Defaults | Comments | ||
|---|---|---|---|---|
|
host
-
/ required
|
FortiOS or FortiGate ip address.
|
|||
|
https
boolean
|
|
Indicates if the requests towards FortiGate must use HTTPS protocol
|
||
|
password
-
|
Default: ""
|
FortiOS or FortiGate password.
|
||
|
username
-
/ required
|
FortiOS or FortiGate username.
|
|||
|
vdom
-
|
Default: "root"
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
|
||
|
wireless_controller_vap
-
|
Default: null
|
Configure Virtual Access Points (VAPs).
|
||
|
acct-interim-interval
-
|
WiFi RADIUS accounting interim interval (60 - 86400 sec, default = 0).
|
|||
|
alias
-
|
Alias.
|
|||
|
auth
-
|
|
Authentication protocol.
|
||
|
broadcast-ssid
-
|
|
Enable/disable broadcasting the SSID (default = enable).
|
||
|
broadcast-suppression
-
|
|
Optional suppression of broadcast messages. For example, you can keep DHCP messages, ARP broadcasts, and so on off of the wireless network.
|
||
|
captive-portal-ac-name
-
|
Local-bridging captive portal ac-name.
|
|||
|
captive-portal-macauth-radius-secret
-
|
Secret key to access the macauth RADIUS server.
|
|||
|
captive-portal-macauth-radius-server
-
|
Captive portal external RADIUS server domain name or IP address.
|
|||
|
captive-portal-radius-secret
-
|
Secret key to access the RADIUS server.
|
|||
|
captive-portal-radius-server
-
|
Captive portal RADIUS server domain name or IP address.
|
|||
|
captive-portal-session-timeout-interval
-
|
Session timeout interval (0 - 864000 sec, default = 0).
|
|||
|
dhcp-lease-time
-
|
DHCP lease time in seconds for NAT IP address.
|
|||
|
dhcp-option82-circuit-id-insertion
-
|
|
Enable/disable DHCP option 82 circuit-id insert (default = disable).
|
||
|
dhcp-option82-insertion
-
|
|
Enable/disable DHCP option 82 insert (default = disable).
|
||
|
dhcp-option82-remote-id-insertion
-
|
|
Enable/disable DHCP option 82 remote-id insert (default = disable).
|
||
|
dynamic-vlan
-
|
|
Enable/disable dynamic VLAN assignment.
|
||
|
eap-reauth
-
|
|
Enable/disable EAP re-authentication for WPA-Enterprise security.
|
||
|
eap-reauth-intv
-
|
EAP re-authentication interval (1800 - 864000 sec, default = 86400).
|
|||
|
eapol-key-retries
-
|
|
Enable/disable retransmission of EAPOL-Key frames (message 3/4 and group message 1/2) (default = enable).
|
||
|
encrypt
-
|
|
Encryption protocol to use (only available when security is set to a WPA type).
|
||
|
external-fast-roaming
-
|
|
Enable/disable fast roaming or pre-authentication with external APs not managed by the FortiGate (default = disable).
|
||
|
external-logout
-
|
URL of external authentication logout server.
|
|||
|
external-web
-
|
URL of external authentication web server.
|
|||
|
fast-bss-transition
-
|
|
Enable/disable 802.11r Fast BSS Transition (FT) (default = disable).
|
||
|
fast-roaming
-
|
|
Enable/disable fast-roaming, or pre-authentication, where supported by clients (default = disable).
|
||
|
ft-mobility-domain
-
|
Mobility domain identifier in FT (1 - 65535, default = 1000).
|
|||
|
ft-over-ds
-
|
|
Enable/disable FT over the Distribution System (DS).
|
||
|
ft-r0-key-lifetime
-
|
Lifetime of the PMK-R0 key in FT, 1-65535 minutes.
|
|||
|
gtk-rekey
-
|
|
Enable/disable GTK rekey for WPA security.
|
||
|
gtk-rekey-intv
-
|
GTK rekey interval (1800 - 864000 sec, default = 86400).
|
|||
|
hotspot20-profile
-
|
Hotspot 2.0 profile name.
|
|||
|
intra-vap-privacy
-
|
|
Enable/disable blocking communication between clients on the same SSID (called intra-SSID privacy) (default = disable).
|
||
|
ip
-
|
IP address and subnet mask for the local standalone NAT subnet.
|
|||
|
key
-
|
WEP Key.
|
|||
|
keyindex
-
|
WEP key index (1 - 4).
|
|||
|
ldpc
-
|
|
VAP low-density parity-check (LDPC) coding configuration.
|
||
|
local-authentication
-
|
|
Enable/disable AP local authentication.
|
||
|
local-bridging
-
|
|
Enable/disable bridging of wireless and Ethernet interfaces on the FortiAP (default = disable).
|
||
|
local-lan
-
|
|
Allow/deny traffic destined for a Class A, B, or C private IP address (default = allow).
|
||
|
local-standalone
-
|
|
Enable/disable AP local standalone (default = disable).
|
||
|
local-standalone-nat
-
|
|
Enable/disable AP local standalone NAT mode.
|
||
|
mac-auth-bypass
-
|
|
Enable/disable MAC authentication bypass.
|
||
|
mac-filter
-
|
|
Enable/disable MAC filtering to block wireless clients by mac address.
|
||
|
mac-filter-list
-
|
Create a list of MAC addresses for MAC address filtering.
|
|||
|
id
-
/ required
|
ID.
|
|||
|
mac
-
|
MAC address.
|
|||
|
mac-filter-policy
-
|
|
Deny or allow the client with this MAC address.
|
||
|
mac-filter-policy-other
-
|
|
Allow or block clients with MAC addresses that are not in the filter list.
|
||
|
max-clients
-
|
Maximum number of clients that can connect simultaneously to the VAP (default = 0, meaning no limitation).
|
|||
|
max-clients-ap
-
|
Maximum number of clients that can connect simultaneously to each radio (default = 0, meaning no limitation).
|
|||
|
me-disable-thresh
-
|
Disable multicast enhancement when this many clients are receiving multicast traffic.
|
|||
|
mesh-backhaul
-
|
|
Enable/disable using this VAP as a WiFi mesh backhaul (default = disable). This entry is only available when security is set to a WPA type or open.
|
||
|
mpsk
-
|
|
Enable/disable multiple pre-shared keys (PSKs.)
|
||
|
mpsk-concurrent-clients
-
|
Number of pre-shared keys (PSKs) to allow if multiple pre-shared keys are enabled.
|
|||
|
mpsk-key
-
|
Pre-shared keys that can be used to connect to this virtual access point.
|
|||
|
comment
-
|
Comment.
|
|||
|
concurrent-clients
-
|
Number of clients that can connect using this pre-shared key.
|
|||
|
key-name
-
/ required
|
Pre-shared key name.
|
|||
|
passphrase
-
|
WPA Pre-shared key.
|
|||
|
multicast-enhance
-
|
|
Enable/disable converting multicast to unicast to improve performance (default = disable).
|
||
|
multicast-rate
-
|
|
Multicast rate (0, 6000, 12000, or 24000 kbps, default = 0).
|
||
|
name
-
/ required
|
Virtual AP name.
|
|||
|
okc
-
|
|
Enable/disable Opportunistic Key Caching (OKC) (default = enable).
|
||
|
passphrase
-
|
WPA pre-shard key (PSK) to be used to authenticate WiFi users.
|
|||
|
pmf
-
|
|
Protected Management Frames (PMF) support (default = disable).
|
||
|
pmf-assoc-comeback-timeout
-
|
Protected Management Frames (PMF) comeback maximum timeout (1-20 sec).
|
|||
|
pmf-sa-query-retry-timeout
-
|
Protected Management Frames (PMF) SA query retry timeout interval (1 - 5 100s of msec).
|
|||
|
portal-message-override-group
-
|
Replacement message group for this VAP (only available when security is set to a captive portal type).
|
|||
|
portal-message-overrides
-
|
Individual message overrides.
|
|||
|
auth-disclaimer-page
-
|
Override auth-disclaimer-page message with message from portal-message-overrides group.
|
|||
|
auth-login-failed-page
-
|
Override auth-login-failed-page message with message from portal-message-overrides group.
|
|||
|
auth-login-page
-
|
Override auth-login-page message with message from portal-message-overrides group.
|
|||
|
auth-reject-page
-
|
Override auth-reject-page message with message from portal-message-overrides group.
|
|||
|
portal-type
-
|
|
Captive portal functionality. Configure how the captive portal authenticates users and whether it includes a disclaimer.
|
||
|
probe-resp-suppression
-
|
|
Enable/disable probe response suppression (to ignore weak signals) (default = disable).
|
||
|
probe-resp-threshold
-
|
Minimum signal level/threshold in dBm required for the AP response to probe requests (-95 to -20, default = -80).
|
|||
|
ptk-rekey
-
|
|
Enable/disable PTK rekey for WPA-Enterprise security.
|
||
|
ptk-rekey-intv
-
|
PTK rekey interval (1800 - 864000 sec, default = 86400).
|
|||
|
qos-profile
-
|
Quality of service profile name.
|
|||
|
quarantine
-
|
|
Enable/disable station quarantine (default = enable).
|
||
|
radio-2g-threshold
-
|
Minimum signal level/threshold in dBm required for the AP response to receive a packet in 2.4G band (-95 to -20, default = -79).
|
|||
|
radio-5g-threshold
-
|
Minimum signal level/threshold in dBm required for the AP response to receive a packet in 5G band(-95 to -20, default = -76).
|
|||
|
radio-sensitivity
-
|
|
Enable/disable software radio sensitivity (to ignore weak signals) (default = disable).
|
||
|
radius-mac-auth
-
|
|
Enable/disable RADIUS-based MAC authentication of clients (default = disable).
|
||
|
radius-mac-auth-server
-
|
RADIUS-based MAC authentication server.
|
|||
|
radius-mac-auth-usergroups
-
|
Selective user groups that are permitted for RADIUS mac authentication.
|
|||
|
name
-
/ required
|
User group name.
|
|||
|
radius-server
-
|
RADIUS server to be used to authenticate WiFi users.
|
|||
|
rates-11a
-
|
|
Allowed data rates for 802.11a.
|
||
|
rates-11ac-ss12
-
|
|
Allowed data rates for 802.11ac with 1 or 2 spatial streams.
|
||
|
rates-11ac-ss34
-
|
|
Allowed data rates for 802.11ac with 3 or 4 spatial streams.
|
||
|
rates-11bg
-
|
|
Allowed data rates for 802.11b/g.
|
||
|
rates-11n-ss12
-
|
|
Allowed data rates for 802.11n with 1 or 2 spatial streams.
|
||
|
rates-11n-ss34
-
|
|
Allowed data rates for 802.11n with 3 or 4 spatial streams.
|
||
|
schedule
-
|
VAP schedule name.
|
|||
|
security
-
|
|
Security mode for the wireless interface (default = wpa2-only-personal).
|
||
|
security-exempt-list
-
|
Optional security exempt list for captive portal authentication.
|
|||
|
security-obsolete-option
-
|
|
Enable/disable obsolete security options.
|
||
|
security-redirect-url
-
|
Optional URL for redirecting users after they pass captive portal authentication.
|
|||
|
selected-usergroups
-
|
Selective user groups that are permitted to authenticate.
|
|||
|
name
-
/ required
|
User group name.
|
|||
|
split-tunneling
-
|
|
Enable/disable split tunneling (default = disable).
|
||
|
ssid
-
|
IEEE 802.11 service set identifier (SSID) for the wireless interface. Users who wish to use the wireless network must configure their computers to access this SSID name.
|
|||
|
state
-
|
|
Indicates whether to create or remove the object
|
||
|
tkip-counter-measure
-
|
|
Enable/disable TKIP counter measure.
|
||
|
usergroup
-
|
Firewall user group to be used to authenticate WiFi users.
|
|||
|
name
-
/ required
|
User group name.
|
|||
|
utm-profile
-
|
UTM profile name.
|
|||
|
vdom
-
|
Name of the VDOM that the Virtual AP has been added to. Source system.vdom.name.
|
|||
|
vlan-auto
-
|
|
Enable/disable automatic management of SSID VLAN interface.
|
||
|
vlan-pool
-
|
VLAN pool.
|
|||
|
id
-
/ required
|
ID.
|
|||
|
wtp-group
-
|
WTP group name.
|
|||
|
vlan-pooling
-
|
|
Enable/disable VLAN pooling, to allow grouping of multiple wireless controller VLANs into VLAN pools (default = disable). When set to wtp-group, VLAN pooling occurs with VLAN assignment by wtp-group.
|
||
|
vlanid
-
|
Optional VLAN ID.
|
|||
|
voice-enterprise
-
|
|
Enable/disable 802.11k and 802.11v assisted Voice-Enterprise roaming (default = disable).
|
||
Notes¶
Note
Requires fortiosapi library developed by Fortinet
Run as a local_action in your playbook
Examples¶
- hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: ""
vdom: "root"
tasks:
- name: Configure Virtual Access Points (VAPs).
fortios_wireless_controller_vap:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
https: "False"
wireless_controller_vap:
state: "present"
acct-interim-interval: "3"
alias: "<your_own_value>"
auth: "psk"
broadcast-ssid: "enable"
broadcast-suppression: "dhcp-up"
captive-portal-ac-name: "<your_own_value>"
captive-portal-macauth-radius-secret: "<your_own_value>"
captive-portal-macauth-radius-server: "<your_own_value>"
captive-portal-radius-secret: "<your_own_value>"
captive-portal-radius-server: "<your_own_value>"
captive-portal-session-timeout-interval: "13"
dhcp-lease-time: "14"
dhcp-option82-circuit-id-insertion: "style-1"
dhcp-option82-insertion: "enable"
dhcp-option82-remote-id-insertion: "style-1"
dynamic-vlan: "enable"
eap-reauth: "enable"
eap-reauth-intv: "20"
eapol-key-retries: "disable"
encrypt: "TKIP"
external-fast-roaming: "enable"
external-logout: "<your_own_value>"
external-web: "<your_own_value>"
fast-bss-transition: "disable"
fast-roaming: "enable"
ft-mobility-domain: "28"
ft-over-ds: "disable"
ft-r0-key-lifetime: "30"
gtk-rekey: "enable"
gtk-rekey-intv: "32"
hotspot20-profile: "<your_own_value>"
intra-vap-privacy: "enable"
ip: "<your_own_value>"
key: "<your_own_value>"
keyindex: "37"
ldpc: "disable"
local-authentication: "enable"
local-bridging: "enable"
local-lan: "allow"
local-standalone: "enable"
local-standalone-nat: "enable"
mac-auth-bypass: "enable"
mac-filter: "enable"
mac-filter-list:
-
id: "47"
mac: "<your_own_value>"
mac-filter-policy: "allow"
mac-filter-policy-other: "allow"
max-clients: "51"
max-clients-ap: "52"
me-disable-thresh: "53"
mesh-backhaul: "enable"
mpsk: "enable"
mpsk-concurrent-clients: "56"
mpsk-key:
-
comment: "Comment."
concurrent-clients: "<your_own_value>"
key-name: "<your_own_value>"
passphrase: "<your_own_value>"
multicast-enhance: "enable"
multicast-rate: "0"
name: "default_name_64"
okc: "disable"
passphrase: "<your_own_value>"
pmf: "disable"
pmf-assoc-comeback-timeout: "68"
pmf-sa-query-retry-timeout: "69"
portal-message-override-group: "<your_own_value>"
portal-message-overrides:
auth-disclaimer-page: "<your_own_value>"
auth-login-failed-page: "<your_own_value>"
auth-login-page: "<your_own_value>"
auth-reject-page: "<your_own_value>"
portal-type: "auth"
probe-resp-suppression: "enable"
probe-resp-threshold: "<your_own_value>"
ptk-rekey: "enable"
ptk-rekey-intv: "80"
qos-profile: "<your_own_value>"
quarantine: "enable"
radio-2g-threshold: "<your_own_value>"
radio-5g-threshold: "<your_own_value>"
radio-sensitivity: "enable"
radius-mac-auth: "enable"
radius-mac-auth-server: "<your_own_value>"
radius-mac-auth-usergroups:
-
name: "default_name_89"
radius-server: "<your_own_value>"
rates-11a: "1"
rates-11ac-ss12: "mcs0/1"
rates-11ac-ss34: "mcs0/3"
rates-11bg: "1"
rates-11n-ss12: "mcs0/1"
rates-11n-ss34: "mcs16/3"
schedule: "<your_own_value>"
security: "open"
security-exempt-list: "<your_own_value>"
security-obsolete-option: "enable"
security-redirect-url: "<your_own_value>"
selected-usergroups:
-
name: "default_name_103"
split-tunneling: "enable"
ssid: "<your_own_value>"
tkip-counter-measure: "enable"
usergroup:
-
name: "default_name_108"
utm-profile: "<your_own_value>"
vdom: "<your_own_value> (source system.vdom.name)"
vlan-auto: "enable"
vlan-pool:
-
id: "113"
wtp-group: "<your_own_value>"
vlan-pooling: "wtp-group"
vlanid: "116"
voice-enterprise: "disable"
Return Values¶
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
|
build
string
|
always |
Build number of the fortigate image
Sample:
1547
|
|
http_method
string
|
always |
Last method used to provision the content into FortiGate
Sample:
PUT
|
|
http_status
string
|
always |
Last result given by FortiGate on last operation applied
Sample:
200
|
|
mkey
string
|
success |
Master key (id) used in the last call to FortiGate
Sample:
id
|
|
name
string
|
always |
Name of the table used to fulfill the request
Sample:
urlfilter
|
|
path
string
|
always |
Path of the table used to fulfill the request
Sample:
webfilter
|
|
revision
string
|
always |
Internal revision number
Sample:
17.0.2.10658
|
|
serial
string
|
always |
Serial number of the unit
Sample:
FGVMEVYYQT3AB5352
|
|
status
string
|
always |
Indication of the operation's result
Sample:
success
|
|
vdom
string
|
always |
Virtual domain used
Sample:
root
|
|
version
string
|
always |
Version of the FortiGate
Sample:
v5.6.3
|
Status¶
This module is not guaranteed to have a backwards compatible interface. [preview]
This module is maintained by the Ansible Community. [community]