Parameter |
Choices/Defaults |
Comments |
host
string
|
|
FortiOS or FortiGate IP address.
|
https
boolean
|
|
Indicates if the requests towards FortiGate must use HTTPS protocol.
|
password
string
|
Default:
""
|
FortiOS or FortiGate password.
|
ssl_verify
boolean
added in 2.9 |
|
Ensures FortiGate certificate must be verified by a proper CA.
|
state
string
added in 2.9 |
|
Indicates whether to create or remove the object. This attribute was present already in previous version in a deeper level. It has been moved out to this outer level.
|
username
string
|
|
FortiOS or FortiGate username.
|
vdom
string
|
Default:
"root"
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
|
wireless_controller_vap
dictionary
|
|
Configure Virtual Access Points (VAPs).
|
|
acct_interim_interval
integer
|
|
WiFi RADIUS accounting interim interval (60 - 86400 sec).
|
|
alias
string
|
|
Alias.
|
|
auth
string
|
Choices:
- psk
- radius
- usergroup
|
Authentication protocol.
|
|
broadcast_ssid
string
|
|
Enable/disable broadcasting the SSID .
|
|
broadcast_suppression
string
|
Choices:
- dhcp-up
- dhcp-down
- dhcp-starvation
- arp-known
- arp-unknown
- arp-reply
- arp-poison
- arp-proxy
- netbios-ns
- netbios-ds
- ipv6
- all-other-mc
- all-other-bc
|
Optional suppression of broadcast messages. For example, you can keep DHCP messages, ARP broadcasts, and so on off of the wireless network.
|
|
captive_portal_ac_name
string
|
|
Local-bridging captive portal ac-name.
|
|
captive_portal_macauth_radius_secret
string
|
|
Secret key to access the macauth RADIUS server.
|
|
captive_portal_macauth_radius_server
string
|
|
Captive portal external RADIUS server domain name or IP address.
|
|
captive_portal_radius_secret
string
|
|
Secret key to access the RADIUS server.
|
|
captive_portal_radius_server
string
|
|
Captive portal RADIUS server domain name or IP address.
|
|
captive_portal_session_timeout_interval
integer
|
|
Session timeout interval (0 - 864000 sec).
|
|
dhcp_lease_time
integer
|
|
DHCP lease time in seconds for NAT IP address.
|
|
dhcp_option82_circuit_id_insertion
string
|
Choices:
- style-1
- style-2
- disable
|
Enable/disable DHCP option 82 circuit-id insert .
|
|
dhcp_option82_insertion
string
|
|
Enable/disable DHCP option 82 insert .
|
|
dhcp_option82_remote_id_insertion
string
|
|
Enable/disable DHCP option 82 remote-id insert .
|
|
dynamic_vlan
string
|
|
Enable/disable dynamic VLAN assignment.
|
|
eap_reauth
string
|
|
Enable/disable EAP re-authentication for WPA-Enterprise security.
|
|
eap_reauth_intv
integer
|
|
EAP re-authentication interval (1800 - 864000 sec).
|
|
eapol_key_retries
string
|
|
Enable/disable retransmission of EAPOL-Key frames (message 3/4 and group message 1/2) .
|
|
encrypt
string
|
Choices:
- TKIP
- AES
- TKIP-AES
|
Encryption protocol to use (only available when security is set to a WPA type).
|
|
external_fast_roaming
string
|
|
Enable/disable fast roaming or pre-authentication with external APs not managed by the FortiGate .
|
|
external_logout
string
|
|
URL of external authentication logout server.
|
|
external_web
string
|
|
URL of external authentication web server.
|
|
fast_bss_transition
string
|
|
Enable/disable 802.11r Fast BSS Transition (FT) .
|
|
fast_roaming
string
|
|
Enable/disable fast-roaming, or pre-authentication, where supported by clients .
|
|
ft_mobility_domain
integer
|
|
Mobility domain identifier in FT (1 - 65535).
|
|
ft_over_ds
string
|
|
Enable/disable FT over the Distribution System (DS).
|
|
ft_r0_key_lifetime
integer
|
|
Lifetime of the PMK-R0 key in FT, 1-65535 minutes.
|
|
gtk_rekey
string
|
|
Enable/disable GTK rekey for WPA security.
|
|
gtk_rekey_intv
integer
|
|
GTK rekey interval (1800 - 864000 sec).
|
|
hotspot20_profile
string
|
|
Hotspot 2.0 profile name.
|
|
intra_vap_privacy
string
|
|
Enable/disable blocking communication between clients on the same SSID (called intra-SSID privacy) .
|
|
ip
string
|
|
IP address and subnet mask for the local standalone NAT subnet.
|
|
key
string
|
|
WEP Key.
|
|
keyindex
integer
|
|
WEP key index (1 - 4).
|
|
ldpc
string
|
Choices:
- disable
- rx
- tx
- rxtx
|
VAP low-density parity-check (LDPC) coding configuration.
|
|
local_authentication
string
|
|
Enable/disable AP local authentication.
|
|
local_bridging
string
|
|
Enable/disable bridging of wireless and Ethernet interfaces on the FortiAP .
|
|
local_lan
string
|
|
Allow/deny traffic destined for a Class A, B, or C private IP address .
|
|
local_standalone
string
|
|
Enable/disable AP local standalone .
|
|
local_standalone_nat
string
|
|
Enable/disable AP local standalone NAT mode.
|
|
mac_auth_bypass
string
|
|
Enable/disable MAC authentication bypass.
|
|
mac_filter
string
|
|
Enable/disable MAC filtering to block wireless clients by mac address.
|
|
mac_filter_list
list
|
|
Create a list of MAC addresses for MAC address filtering.
|
|
|
id
integer
/ required
|
|
ID.
|
|
|
mac
string
|
|
MAC address.
|
|
|
mac_filter_policy
string
|
|
Deny or allow the client with this MAC address.
|
|
mac_filter_policy_other
string
|
|
Allow or block clients with MAC addresses that are not in the filter list.
|
|
max_clients
integer
|
|
Maximum number of clients that can connect simultaneously to the VAP .
|
|
max_clients_ap
integer
|
|
Maximum number of clients that can connect simultaneously to each radio .
|
|
me_disable_thresh
integer
|
|
Disable multicast enhancement when this many clients are receiving multicast traffic.
|
|
mesh_backhaul
string
|
|
Enable/disable using this VAP as a WiFi mesh backhaul . This entry is only available when security is set to a WPA type or open.
|
|
mpsk
string
|
|
Enable/disable multiple pre-shared keys (PSKs.)
|
|
mpsk_concurrent_clients
integer
|
|
Number of pre-shared keys (PSKs) to allow if multiple pre-shared keys are enabled.
|
|
mpsk_key
list
|
|
Pre-shared keys that can be used to connect to this virtual access point.
|
|
|
comment
string
|
|
Comment.
|
|
|
concurrent_clients
string
|
|
Number of clients that can connect using this pre-shared key.
|
|
|
key_name
string
|
|
Pre-shared key name.
|
|
|
passphrase
string
|
|
WPA Pre-shared key.
|
|
multicast_enhance
string
|
|
Enable/disable converting multicast to unicast to improve performance .
|
|
multicast_rate
string
|
Choices:
- 0
- 6000
- 12000
- 24000
|
Multicast rate (0, 6000, 12000, or 24000 kbps).
|
|
name
string
/ required
|
|
Virtual AP name.
|
|
okc
string
|
|
Enable/disable Opportunistic Key Caching (OKC) .
|
|
passphrase
string
|
|
WPA pre-shard key (PSK) to be used to authenticate WiFi users.
|
|
pmf
string
|
Choices:
- disable
- enable
- optional
|
Protected Management Frames (PMF) support .
|
|
pmf_assoc_comeback_timeout
integer
|
|
Protected Management Frames (PMF) comeback maximum timeout (1-20 sec).
|
|
pmf_sa_query_retry_timeout
integer
|
|
Protected Management Frames (PMF) SA query retry timeout interval (1 - 5 100s of msec).
|
|
portal_message_override_group
string
|
|
Replacement message group for this VAP (only available when security is set to a captive portal type).
|
|
portal_message_overrides
dictionary
|
|
Individual message overrides.
|
|
|
auth_disclaimer_page
string
|
|
Override auth-disclaimer-page message with message from portal-message-overrides group.
|
|
|
auth_login_failed_page
string
|
|
Override auth-login-failed-page message with message from portal-message-overrides group.
|
|
|
auth_login_page
string
|
|
Override auth-login-page message with message from portal-message-overrides group.
|
|
|
auth_reject_page
string
|
|
Override auth-reject-page message with message from portal-message-overrides group.
|
|
portal_type
string
|
Choices:
- auth
- auth+disclaimer
- disclaimer
- email-collect
- cmcc
- cmcc-macauth
- auth-mac
|
Captive portal functionality. Configure how the captive portal authenticates users and whether it includes a disclaimer.
|
|
probe_resp_suppression
string
|
|
Enable/disable probe response suppression (to ignore weak signals) .
|
|
probe_resp_threshold
string
|
|
Minimum signal level/threshold in dBm required for the AP response to probe requests (-95 to -20).
|
|
ptk_rekey
string
|
|
Enable/disable PTK rekey for WPA-Enterprise security.
|
|
ptk_rekey_intv
integer
|
|
PTK rekey interval (1800 - 864000 sec).
|
|
qos_profile
string
|
|
Quality of service profile name.
|
|
quarantine
string
|
|
Enable/disable station quarantine .
|
|
radio_2g_threshold
string
|
|
Minimum signal level/threshold in dBm required for the AP response to receive a packet in 2.4G band (-95 to -20).
|
|
radio_5g_threshold
string
|
|
Minimum signal level/threshold in dBm required for the AP response to receive a packet in 5G band(-95 to -20).
|
|
radio_sensitivity
string
|
|
Enable/disable software radio sensitivity (to ignore weak signals) .
|
|
radius_mac_auth
string
|
|
Enable/disable RADIUS-based MAC authentication of clients .
|
|
radius_mac_auth_server
string
|
|
RADIUS-based MAC authentication server.
|
|
radius_mac_auth_usergroups
list
|
|
Selective user groups that are permitted for RADIUS mac authentication.
|
|
|
name
string
/ required
|
|
User group name.
|
|
radius_server
string
|
|
RADIUS server to be used to authenticate WiFi users.
|
|
rates_11a
string
|
Choices:
- 1
- 1-basic
- 2
- 2-basic
- 5.5
- 5.5-basic
- 11
- 11-basic
- 6
- 6-basic
- 9
- 9-basic
- 12
- 12-basic
- 18
- 18-basic
- 24
- 24-basic
- 36
- 36-basic
- 48
- 48-basic
- 54
- 54-basic
|
Allowed data rates for 802.11a.
|
|
rates_11ac_ss12
string
|
Choices:
- mcs0/1
- mcs1/1
- mcs2/1
- mcs3/1
- mcs4/1
- mcs5/1
- mcs6/1
- mcs7/1
- mcs8/1
- mcs9/1
- mcs10/1
- mcs11/1
- mcs0/2
- mcs1/2
- mcs2/2
- mcs3/2
- mcs4/2
- mcs5/2
- mcs6/2
- mcs7/2
- mcs8/2
- mcs9/2
- mcs10/2
- mcs11/2
|
Allowed data rates for 802.11ac with 1 or 2 spatial streams.
|
|
rates_11ac_ss34
string
|
Choices:
- mcs0/3
- mcs1/3
- mcs2/3
- mcs3/3
- mcs4/3
- mcs5/3
- mcs6/3
- mcs7/3
- mcs8/3
- mcs9/3
- mcs10/3
- mcs11/3
- mcs0/4
- mcs1/4
- mcs2/4
- mcs3/4
- mcs4/4
- mcs5/4
- mcs6/4
- mcs7/4
- mcs8/4
- mcs9/4
- mcs10/4
- mcs11/4
|
Allowed data rates for 802.11ac with 3 or 4 spatial streams.
|
|
rates_11bg
string
|
Choices:
- 1
- 1-basic
- 2
- 2-basic
- 5.5
- 5.5-basic
- 11
- 11-basic
- 6
- 6-basic
- 9
- 9-basic
- 12
- 12-basic
- 18
- 18-basic
- 24
- 24-basic
- 36
- 36-basic
- 48
- 48-basic
- 54
- 54-basic
|
Allowed data rates for 802.11b/g.
|
|
rates_11n_ss12
string
|
Choices:
- mcs0/1
- mcs1/1
- mcs2/1
- mcs3/1
- mcs4/1
- mcs5/1
- mcs6/1
- mcs7/1
- mcs8/2
- mcs9/2
- mcs10/2
- mcs11/2
- mcs12/2
- mcs13/2
- mcs14/2
- mcs15/2
|
Allowed data rates for 802.11n with 1 or 2 spatial streams.
|
|
rates_11n_ss34
string
|
Choices:
- mcs16/3
- mcs17/3
- mcs18/3
- mcs19/3
- mcs20/3
- mcs21/3
- mcs22/3
- mcs23/3
- mcs24/4
- mcs25/4
- mcs26/4
- mcs27/4
- mcs28/4
- mcs29/4
- mcs30/4
- mcs31/4
|
Allowed data rates for 802.11n with 3 or 4 spatial streams.
|
|
schedule
string
|
|
VAP schedule name.
|
|
security
string
|
Choices:
- open
- captive-portal
- wep64
- wep128
- wpa-personal
- wpa-personal+captive-portal
- wpa-enterprise
- wpa-only-personal
- wpa-only-personal+captive-portal
- wpa-only-enterprise
- wpa2-only-personal
- wpa2-only-personal+captive-portal
- wpa2-only-enterprise
- osen
|
Security mode for the wireless interface .
|
|
security_exempt_list
string
|
|
Optional security exempt list for captive portal authentication.
|
|
security_obsolete_option
string
|
|
Enable/disable obsolete security options.
|
|
security_redirect_url
string
|
|
Optional URL for redirecting users after they pass captive portal authentication.
|
|
selected_usergroups
list
|
|
Selective user groups that are permitted to authenticate.
|
|
|
name
string
/ required
|
|
User group name.
|
|
split_tunneling
string
|
|
Enable/disable split tunneling .
|
|
ssid
string
|
|
IEEE 802.11 service set identifier (SSID) for the wireless interface. Users who wish to use the wireless network must configure their computers to access this SSID name.
|
|
state
string
|
|
Deprecated
Starting with Ansible 2.9 we recommend using the top-level 'state' parameter.
Indicates whether to create or remove the object.
|
|
tkip_counter_measure
string
|
|
Enable/disable TKIP counter measure.
|
|
usergroup
list
|
|
Firewall user group to be used to authenticate WiFi users.
|
|
|
name
string
/ required
|
|
User group name.
|
|
utm_profile
string
|
|
UTM profile name.
|
|
vdom
string
|
|
Name of the VDOM that the Virtual AP has been added to. Source system.vdom.name.
|
|
vlan_auto
string
|
|
Enable/disable automatic management of SSID VLAN interface.
|
|
vlan_pool
list
|
|
VLAN pool.
|
|
|
id
integer
/ required
|
|
ID.
|
|
|
wtp_group
string
|
|
WTP group name.
|
|
vlan_pooling
string
|
Choices:
- wtp-group
- round-robin
- hash
- disable
|
Enable/disable VLAN pooling, to allow grouping of multiple wireless controller VLANs into VLAN pools . When set to wtp-group, VLAN pooling occurs with VLAN assignment by wtp-group.
|
|
vlanid
integer
|
|
Optional VLAN ID.
|
|
voice_enterprise
string
|
|
Enable/disable 802.11k and 802.11v assisted Voice-Enterprise roaming .
|