fortinet.fortios.fortios_wireless_controller_vap – Configure Virtual Access Points (VAPs) in Fortinet’s FortiOS and FortiGate.
Note
This plugin is part of the fortinet.fortios collection (version 2.1.3).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install fortinet.fortios
.
To use it in a playbook, specify: fortinet.fortios.fortios_wireless_controller_vap
.
New in version 2.10: of fortinet.fortios
Synopsis
This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify wireless_controller feature and vap category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
Requirements
The below requirements are needed on the host that executes this module.
ansible>=2.9.0
Parameters
Parameter |
Comments |
---|---|
Token-based authentication. Generated from GUI of Fortigate. |
|
Enable/Disable logging for task. Choices:
|
|
Member attribute path to operate on. Delimited by a slash character if there are more than one attribute. Parameter marked with member_path is legitimate for doing member operation. |
|
Add or delete a member under specified attribute path. When member_state is specified, the state option is ignored. Choices:
|
|
Indicates whether to create or remove the object. Choices:
|
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. Default: “root” |
|
Configure Virtual Access Points (VAPs). |
|
access-control-list profile name. Source wireless-controller.access-control-list.name. |
|
WiFi RADIUS accounting interim interval (60 - 86400 sec). |
|
Additional AKMs. Choices:
|
|
Address group ID. Source wireless-controller.addrgrp.id. |
|
Alias. |
|
AntiVirus profile name. Source antivirus.profile.name. |
|
Application control list name. Source application.list.name. |
|
Airtime weight in percentage . |
|
Authentication protocol. Choices:
|
|
Enable/disable broadcasting the SSID . Choices:
|
|
Optional suppression of broadcast messages. For example, you can keep DHCP messages, ARP broadcasts, and so on off of the wireless network. Choices:
|
|
Enable/disable 802.11ax partial BSS color . Choices:
|
|
Enable/disable forcing of disassociation after the BSTM request timer has been reached . Choices:
|
|
Time interval for client to voluntarily leave AP before forcing a disassociation due to AP load-balancing (0 to 30). |
|
Time interval for client to voluntarily leave AP before forcing a disassociation due to low RSSI (0 to 2000). |
|
Local-bridging captive portal ac-name. |
|
Hard timeout - AP will always clear the session after timeout regardless of traffic (0 - 864000 sec). |
|
Secret key to access the macauth RADIUS server. |
|
Captive portal external RADIUS server domain name or IP address. |
|
Secret key to access the RADIUS server. |
|
Captive portal RADIUS server domain name or IP address. |
|
Session timeout interval (0 - 864000 sec). |
|
Enable/disable DHCP address enforcement . Choices:
|
|
DHCP lease time in seconds for NAT IP address. |
|
Enable/disable insertion of DHCP option 43 . Choices:
|
|
Enable/disable DHCP option 82 circuit-id insert . Choices:
|
|
Enable/disable DHCP option 82 insert . Choices:
|
|
Enable/disable DHCP option 82 remote-id insert . Choices:
|
|
Enable/disable dynamic VLAN assignment. Choices:
|
|
Enable/disable EAP re-authentication for WPA-Enterprise security. Choices:
|
|
EAP re-authentication interval (1800 - 864000 sec). |
|
Enable/disable retransmission of EAPOL-Key frames (message 3/4 and group message 1/2) . Choices:
|
|
Encryption protocol to use (only available when security is set to a WPA type). Choices:
|
|
Enable/disable fast roaming or pre-authentication with external APs not managed by the FortiGate . Choices:
|
|
URL of external authentication logout server. |
|
URL of external authentication web server. |
|
URL query parameter detection . Choices:
|
|
Enable/disable 802.11r Fast BSS Transition (FT) . Choices:
|
|
Enable/disable fast-roaming, or pre-authentication, where supported by clients . Choices:
|
|
Mobility domain identifier in FT (1 - 65535). |
|
Enable/disable FT over the Distribution System (DS). Choices:
|
|
Lifetime of the PMK-R0 key in FT, 1-65535 minutes. |
|
GAS comeback delay (0 or 100 - 10000 milliseconds). |
|
GAS fragmentation limit (512 - 4096). |
|
Enable/disable GTK rekey for WPA security. Choices:
|
|
GTK rekey interval (1800 - 864000 sec). |
|
Enable/disable 802.11ax high efficiency . Choices:
|
|
Hotspot 2.0 profile name. Source wireless-controller.hotspot20.hs-profile.name. |
|
Enable/disable IGMP snooping. Choices:
|
|
Enable/disable blocking communication between clients on the same SSID (called intra-SSID privacy) . Choices:
|
|
IP address and subnet mask for the local standalone NAT subnet. |
|
IPS sensor name. Source ips.sensor.name. |
|
Optional rules of IPv6 packets. For example, you can keep RA, RS and so on off of the wireless network. Choices:
|
|
WEP Key. |
|
WEP key index (1 - 4). |
|
VAP low-density parity-check (LDPC) coding configuration. Choices:
|
|
Enable/disable AP local authentication. Choices:
|
|
Enable/disable bridging of wireless and Ethernet interfaces on the FortiAP . Choices:
|
|
Allow/deny traffic destined for a Class A, B, or C private IP address . Choices:
|
|
Enable/disable AP local standalone . Choices:
|
|
Enable/disable AP local standalone DNS. Choices:
|
|
IPv4 addresses for the local standalone DNS. |
|
Enable/disable AP local standalone NAT mode. Choices:
|
|
Enable/disable MAC authentication bypass. Choices:
|
|
MAC called station delimiter . Choices:
|
|
MAC calling station delimiter . Choices:
|
|
MAC case . Choices:
|
|
Enable/disable MAC filtering to block wireless clients by mac address. Choices:
|
|
Create a list of MAC addresses for MAC address filtering. |
|
ID. |
|
MAC address. |
|
Deny or allow the client with this MAC address. Choices:
|
|
Allow or block clients with MAC addresses that are not in the filter list. Choices:
|
|
MAC authentication password delimiter . Choices:
|
|
MAC authentication username delimiter . Choices:
|
|
Maximum number of clients that can connect simultaneously to the VAP . |
|
Maximum number of clients that can connect simultaneously to each radio . |
|
Enable/disable Multiband Operation . Choices:
|
|
MBO cell data connection preference (0, 1, or 255). Choices:
|
|
Disable multicast enhancement when this many clients are receiving multicast traffic. |
|
Enable/disable using this VAP as a WiFi mesh backhaul . This entry is only available when security is set to a WPA type or open. Choices:
|
|
Enable/disable multiple pre-shared keys (PSKs.) Choices:
|
|
Number of pre-shared keys (PSKs) to allow if multiple pre-shared keys are enabled. |
|
Pre-shared keys that can be used to connect to this virtual access point. |
|
Comment. |
|
Number of clients that can connect using this pre-shared key. |
|
Pre-shared key name. |
|
Firewall schedule for MPSK passphrase. The passphrase will be effective only when at least one schedule is valid. |
|
Schedule name. Source firewall.schedule.group.name firewall.schedule.recurring.name firewall.schedule.onetime.name. |
|
WPA Pre-shared key. |
|
MPSK profile name. Source wireless-controller.mpsk-profile.name. |
|
Enable/disable Multi-user MIMO . Choices:
|
|
Enable/disable converting multicast to unicast to improve performance . Choices:
|
|
Multicast rate (0, 6000, 12000, or 24000 kbps). Choices:
|
|
Enable/disable network access control. Choices:
|
|
NAC profile name. Source wireless-controller.nac-profile.name. |
|
Virtual AP name. |
|
Enable/disable dual-band neighbor report . Choices:
|
|
Enable/disable Opportunistic Key Caching (OKC) . Choices:
|
|
OWE-Groups. Choices:
|
|
Enable/disable OWE transition mode support. Choices:
|
|
OWE transition mode peer SSID. |
|
WPA pre-shard key (PSK) to be used to authenticate WiFi users. |
|
Protected Management Frames (PMF) support . Choices:
|
|
Protected Management Frames (PMF) comeback maximum timeout (1-20 sec). |
|
Protected Management Frames (PMF) SA query retry timeout interval (1 - 5 100s of msec). |
|
Enable/disable LAN port MAC authentication . Choices:
|
|
LAN port MAC authentication re-authentication timeout value . |
|
LAN port MAC authentication idle timeout value . |
|
Replacement message group for this VAP (only available when security is set to a captive portal type). Source system.replacemsg-group .name. |
|
Individual message overrides. |
|
Override auth-disclaimer-page message with message from portal-message-overrides group. |
|
Override auth-login-failed-page message with message from portal-message-overrides group. |
|
Override auth-login-page message with message from portal-message-overrides group. |
|
Override auth-reject-page message with message from portal-message-overrides group. |
|
Captive portal functionality. Configure how the captive portal authenticates users and whether it includes a disclaimer. Choices:
|
|
Primary wireless access gateway profile name. Source wireless-controller.wag-profile.name. |
|
Enable/disable probe response suppression (to ignore weak signals) . Choices:
|
|
Minimum signal level/threshold in dBm required for the AP response to probe requests (-95 to -20). |
|
Enable/disable PTK rekey for WPA-Enterprise security. Choices:
|
|
PTK rekey interval (1800 - 864000 sec). |
|
Quality of service profile name. Source wireless-controller.qos-profile.name. |
|
Enable/disable station quarantine . Choices:
|
|
Minimum signal level/threshold in dBm required for the AP response to receive a packet in 2.4G band (-95 to -20). |
|
Minimum signal level/threshold in dBm required for the AP response to receive a packet in 5G band(-95 to -20). |
|
Enable/disable software radio sensitivity (to ignore weak signals) . Choices:
|
|
Enable/disable RADIUS-based MAC authentication of clients . Choices:
|
|
RADIUS-based MAC authentication server. Source user.radius.name. |
|
Selective user groups that are permitted for RADIUS mac authentication. |
|
User group name. |
|
RADIUS server to be used to authenticate WiFi users. Source user.radius.name. |
|
Allowed data rates for 802.11a. Choices:
|
|
Allowed data rates for 802.11ac with 1 or 2 spatial streams. Choices:
|
|
Allowed data rates for 802.11ac with 3 or 4 spatial streams. Choices:
|
|
Allowed data rates for 802.11b/g. Choices:
|
|
Allowed data rates for 802.11n with 1 or 2 spatial streams. Choices:
|
|
Allowed data rates for 802.11n with 3 or 4 spatial streams. Choices:
|
|
SAE-Groups. Choices:
|
|
WPA3 SAE password to be used to authenticate WiFi users. |
|
Block or monitor connections to Botnet servers or disable Botnet scanning. Choices:
|
|
VAP schedule name. |
|
Secondary wireless access gateway profile name. Source wireless-controller.wag-profile.name. |
|
Security mode for the wireless interface . Choices:
|
|
Optional security exempt list for captive portal authentication. Source user.security-exempt-list.name. |
|
Enable/disable obsolete security options. Choices:
|
|
Optional URL for redirecting users after they pass captive portal authentication. |
|
Selective user groups that are permitted to authenticate. |
|
User group name. Source user.group.name. |
|
Enable/disable split tunneling . Choices:
|
|
IEEE 802.11 service set identifier (SSID) for the wireless interface. Users who wish to use the wireless network must configure their computers to access this SSID name. |
|
Enable/disable sticky client remove to maintain good signal level clients in SSID. . Choices:
|
|
Minimum signal level/threshold in dBm required for the 2G client to be serviced by the AP (-95 to -20). |
|
Minimum signal level/threshold in dBm required for the 5G client to be serviced by the AP (-95 to -20). |
|
Enable/disable 802.11ax target wake time . Choices:
|
|
Enable/disable TKIP counter measure. Choices:
|
|
The time interval to send echo to both primary and secondary tunnel peers (1 - 65535 sec). |
|
The time interval for secondary tunnel to fall back to primary tunnel (0 - 65535 sec). |
|
Firewall user group to be used to authenticate WiFi users. |
|
User group name. Source user.group.name. |
|
Enable/disable UTM logging. Choices:
|
|
UTM profile name. Source wireless-controller.utm-profile.name. |
|
Enable to add one or more security profiles (AV, IPS, etc.) to the VAP. Choices:
|
|
Name of the VDOM that the Virtual AP has been added to. Source system.vdom.name. |
|
Enable/disable automatic management of SSID VLAN interface. Choices:
|
|
VLAN pool. |
|
ID. |
|
WTP group name. Source wireless-controller.wtp-group.name. |
|
Enable/disable VLAN pooling, to allow grouping of multiple wireless controller VLANs into VLAN pools . When set to wtp-group, VLAN pooling occurs with VLAN assignment by wtp-group. Choices:
|
|
Optional VLAN ID. |
|
Enable/disable 802.11k and 802.11v assisted Voice-Enterprise roaming . Choices:
|
|
WebFilter profile name. Source webfilter.profile.name. |
Examples
- collections:
- fortinet.fortios
connection: httpapi
hosts: fortigate01
vars:
ansible_httpapi_port: 443
ansible_httpapi_use_ssl: true
ansible_httpapi_validate_certs: false
vdom: root
tasks:
- name: fortios_wireless_controller_vap
fortios_wireless_controller_vap:
vdom: root
state: present
wireless_controller_vap:
acct_interim_interval: 0
atf_weight: 20
auth: psk
broadcast_ssid: enable
broadcast_suppression: dhcp-up
bss_color_partial: enable
captive_portal_auth_timeout: 0
captive_portal_session_timeout_interval: 0
dhcp_lease_time: 2400
dhcp_option43_insertion: enable
dhcp_option82_circuit_id_insertion: disable
dhcp_option82_insertion: disable
dhcp_option82_remote_id_insertion: disable
dynamic_vlan: disable
eap_reauth: disable
eap_reauth_intv: 86400
eapol_key_retries: enable
encrypt: AES
external_fast_roaming: disable
external_web_format: auto-detect
fast_bss_transition: disable
fast_roaming: enable
ft_mobility_domain: 1000
ft_over_ds: enable
ft_r0_key_lifetime: 480
gtk_rekey: disable
gtk_rekey_intv: 86400
high_efficiency: enable
igmp_snooping: disable
intra_vap_privacy: disable
ip: 0.0.0.0 0.0.0.0
ipv6_rules: drop-icmp6ra
keyindex: 1
ldpc: rxtx
local_authentication: disable
local_bridging: disable
local_lan: allow
local_standalone: disable
local_standalone_nat: disable
mac_auth_bypass: disable
mac_filter: disable
mac_filter_policy_other: allow
max_clients: 0
max_clients_ap: 0
me_disable_thresh: 32
mesh_backhaul: disable
mpsk_concurrent_clients: 0
mu_mimo: enable
multicast_enhance: disable
multicast_rate: '0'
name: terr-test
okc: enable
owe_transition: disable
passphrase: fortinet-pass
pmf: disable
pmf_assoc_comeback_timeout: 1
pmf_sa_query_retry_timeout: 2
port_macauth: disable
port_macauth_reauth_timeout: 7200
port_macauth_timeout: 600
portal_type: auth
probe_resp_suppression: disable
probe_resp_threshold: '-80'
ptk_rekey: disable
ptk_rekey_intv: 86400
quarantine: enable
radio_2g_threshold: '-79'
radio_5g_threshold: '-76'
radio_sensitivity: disable
radius_mac_auth: disable
security: wpa2-only-personal
security_obsolete_option: disable
split_tunneling: disable
ssid: fortinet
sticky_client_remove: disable
sticky_client_threshold_2g: '-79'
sticky_client_threshold_5g: '-76'
target_wake_time: enable
tkip_counter_measure: enable
tunnel_echo_interval: 300
tunnel_fallback_interval: 7200
vdom: root
vlan_auto: disable
vlan_pooling: disable
vlanid: 0
voice_enterprise: disable
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
Build number of the fortigate image Returned: always Sample: “1547” |
|
Last method used to provision the content into FortiGate Returned: always Sample: “PUT” |
|
Last result given by FortiGate on last operation applied Returned: always Sample: “200” |
|
Master key (id) used in the last call to FortiGate Returned: success Sample: “id” |
|
Name of the table used to fulfill the request Returned: always Sample: “urlfilter” |
|
Path of the table used to fulfill the request Returned: always Sample: “webfilter” |
|
Internal revision number Returned: always Sample: “17.0.2.10658” |
|
Serial number of the unit Returned: always Sample: “FGVMEVYYQT3AB5352” |
|
Indication of the operation’s result Returned: always Sample: “success” |
|
Virtual domain used Returned: always Sample: “root” |
|
Version of the FortiGate Returned: always Sample: “v5.6.3” |
Authors
Link Zheng (@chillancezen)
Jie Xue (@JieX19)
Hongbin Lu (@fgtdev-hblu)
Frank Shen (@frankshen01)
Miguel Angel Munoz (@mamunozgonzalez)
Nicolas Thomas (@thomnico)