You are reading an unmaintained version of the Ansible documentation. Unmaintained Ansible versions can contain unfixed security vulnerabilities (CVE). Please upgrade to a maintained version. See the latest Ansible documentation.

fortinet.fortimanager.fmgr_user_radius module – Configure RADIUS server entries.

Note

This module is part of the fortinet.fortimanager collection (version 2.1.5).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install fortinet.fortimanager.

To use it in a playbook, specify: fortinet.fortimanager.fmgr_user_radius.

New in version 2.10: of fortinet.fortimanager

Synopsis
Parameters
Notes
Examples
Return Values

Synopsis 

This module is able to configure a FortiManager device.
Examples include all parameters and values which need to be adjusted to data sources before usage.

Parameters 

Parameter	Comments
adom string / required	the parameter (adom) in requested url
bypass_validation boolean	only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters Choices: no ← (default) yes
enable_log boolean	Enable/Disable logging for task Choices: no ← (default) yes
proposed_method string	The overridden method for the underlying Json RPC request Choices: update set add
rc_failed list / elements=string	the rc codes list with which the conditions to fail will be overriden
rc_succeeded list / elements=string	the rc codes list with which the conditions to succeed will be overriden
state string / required	the directive to create, update or delete an object Choices: present absent
user_radius dictionary	the top level parameters set
accounting-server list / elements=string	Accounting-Server.
id integer	ID (0 - 4294967295).
interface string	Specify outgoing interface to reach server.
interface-select-method string	Specify how to select outgoing interface to reach server. Choices: auto sdwan specify
port integer	RADIUS accounting port number.
secret string	Secret key.
server string	{<name_str\|ip_str>} Server CN domain name or IP.
source-ip string	Source IP address for communications to the RADIUS server.
status string	Status. Choices: disable enable
acct-all-servers string	Enable/disable sending of accounting messages to all configured servers (default = disable). Choices: disable enable
acct-interim-interval integer	Time in seconds between each accounting interim update message.
all-usergroup string	Enable/disable automatically including this RADIUS server in all user groups. Choices: disable enable
auth-type string	Authentication methods/protocols permitted for this RADIUS server. Choices: pap chap ms_chap ms_chap_v2 auto
class string	Class attribute name(s).
dynamic_mapping list / elements=string	Dynamic_Mapping.
_scope list / elements=string	_Scope.
name string	Name.
vdom string	Vdom.
accounting-server list / elements=string	Accounting-Server.
id integer	ID (0 - 4294967295).
interface string	Specify outgoing interface to reach server.
interface-select-method string	Specify how to select outgoing interface to reach server. Choices: auto sdwan specify
port integer	RADIUS accounting port number.
secret string	Secret key.
server string	{<name_str\|ip_str>} Server CN domain name or IP.
source-ip string	Source IP address for communications to the RADIUS server.
status string	Status. Choices: disable enable
acct-all-servers string	Enable/disable sending of accounting messages to all configured servers (default = disable). Choices: disable enable
acct-interim-interval integer	Time in seconds between each accounting interim update message.
all-usergroup string	Enable/disable automatically including this RADIUS server in all user groups. Choices: disable enable
auth-type string	Authentication methods/protocols permitted for this RADIUS server. Choices: pap chap ms_chap ms_chap_v2 auto
class string	Class attribute name(s).
dp-carrier-endpoint-attribute string	Dp-Carrier-Endpoint-Attribute. Choices: User-Name User-Password CHAP-Password NAS-IP-Address NAS-Port Service-Type Framed-Protocol Framed-IP-Address Framed-IP-Netmask Framed-Routing Filter-Id Framed-MTU Framed-Compression Login-IP-Host Login-Service Login-TCP-Port Reply-Message Callback-Number Callback-Id Framed-Route Framed-IPX-Network State Class Vendor-Specific Session-Timeout Idle-Timeout Termination-Action Called-Station-Id Calling-Station-Id NAS-Identifier Proxy-State Login-LAT-Service Login-LAT-Node Login-LAT-Group Framed-AppleTalk-Link Framed-AppleTalk-Network Framed-AppleTalk-Zone Acct-Status-Type Acct-Delay-Time Acct-Input-Octets Acct-Output-Octets Acct-Session-Id Acct-Authentic Acct-Session-Time Acct-Input-Packets Acct-Output-Packets Acct-Terminate-Cause Acct-Multi-Session-Id Acct-Link-Count CHAP-Challenge NAS-Port-Type Port-Limit Login-LAT-Port
dp-carrier-endpoint-block-attribute string	Dp-Carrier-Endpoint-Block-Attribute. Choices: User-Name User-Password CHAP-Password NAS-IP-Address NAS-Port Service-Type Framed-Protocol Framed-IP-Address Framed-IP-Netmask Framed-Routing Filter-Id Framed-MTU Framed-Compression Login-IP-Host Login-Service Login-TCP-Port Reply-Message Callback-Number Callback-Id Framed-Route Framed-IPX-Network State Class Vendor-Specific Session-Timeout Idle-Timeout Termination-Action Called-Station-Id Calling-Station-Id NAS-Identifier Proxy-State Login-LAT-Service Login-LAT-Node Login-LAT-Group Framed-AppleTalk-Link Framed-AppleTalk-Network Framed-AppleTalk-Zone Acct-Status-Type Acct-Delay-Time Acct-Input-Octets Acct-Output-Octets Acct-Session-Id Acct-Authentic Acct-Session-Time Acct-Input-Packets Acct-Output-Packets Acct-Terminate-Cause Acct-Multi-Session-Id Acct-Link-Count CHAP-Challenge NAS-Port-Type Port-Limit Login-LAT-Port
dp-context-timeout integer	Dp-Context-Timeout.
dp-flush-ip-session string	Dp-Flush-Ip-Session. Choices: disable enable
dp-hold-time integer	Dp-Hold-Time.
dp-http-header string	Dp-Http-Header.
dp-http-header-fallback string	Dp-Http-Header-Fallback. Choices: ip-header-address default-profile
dp-http-header-status string	Dp-Http-Header-Status. Choices: disable enable
dp-http-header-suppress string	Dp-Http-Header-Suppress. Choices: disable enable
dp-log-dyn_flags list / elements=string	Dp-Log-Dyn_Flags. Choices: none protocol-error profile-missing context-missing accounting-stop-missed accounting-event radiusd-other endpoint-block
dp-log-period integer	Dp-Log-Period.
dp-mem-percent integer	Dp-Mem-Percent.
dp-profile-attribute string	Dp-Profile-Attribute. Choices: User-Name User-Password CHAP-Password NAS-IP-Address NAS-Port Service-Type Framed-Protocol Framed-IP-Address Framed-IP-Netmask Framed-Routing Filter-Id Framed-MTU Framed-Compression Login-IP-Host Login-Service Login-TCP-Port Reply-Message Callback-Number Callback-Id Framed-Route Framed-IPX-Network State Class Vendor-Specific Session-Timeout Idle-Timeout Termination-Action Called-Station-Id Calling-Station-Id NAS-Identifier Proxy-State Login-LAT-Service Login-LAT-Node Login-LAT-Group Framed-AppleTalk-Link Framed-AppleTalk-Network Framed-AppleTalk-Zone Acct-Status-Type Acct-Delay-Time Acct-Input-Octets Acct-Output-Octets Acct-Session-Id Acct-Authentic Acct-Session-Time Acct-Input-Packets Acct-Output-Packets Acct-Terminate-Cause Acct-Multi-Session-Id Acct-Link-Count CHAP-Challenge NAS-Port-Type Port-Limit Login-LAT-Port
dp-profile-attribute-key string	Dp-Profile-Attribute-Key.
dp-radius-response string	Dp-Radius-Response. Choices: disable enable
dp-radius-server-port integer	Dp-Radius-Server-Port.
dp-secret string	Dp-Secret.
dp-validate-request-secret string	Dp-Validate-Request-Secret. Choices: disable enable
dynamic-profile string	Dynamic-Profile. Choices: disable enable
endpoint-translation string	Endpoint-Translation. Choices: disable enable
ep-carrier-endpoint-convert-hex string	Ep-Carrier-Endpoint-Convert-Hex. Choices: disable enable
ep-carrier-endpoint-header string	Ep-Carrier-Endpoint-Header.
ep-carrier-endpoint-header-suppress string	Ep-Carrier-Endpoint-Header-Suppress. Choices: disable enable
ep-carrier-endpoint-prefix string	Ep-Carrier-Endpoint-Prefix. Choices: disable enable
ep-carrier-endpoint-prefix-range-max integer	Ep-Carrier-Endpoint-Prefix-Range-Max.
ep-carrier-endpoint-prefix-range-min integer	Ep-Carrier-Endpoint-Prefix-Range-Min.
ep-carrier-endpoint-prefix-string string	Ep-Carrier-Endpoint-Prefix-String.
ep-carrier-endpoint-source string	Ep-Carrier-Endpoint-Source. Choices: http-header cookie
ep-ip-header string	Ep-Ip-Header.
ep-ip-header-suppress string	Ep-Ip-Header-Suppress. Choices: disable enable
ep-missing-header-fallback string	Ep-Missing-Header-Fallback. Choices: session-ip policy-profile
ep-profile-query-type string	Ep-Profile-Query-Type. Choices: session-ip extract-ip extract-carrier-endpoint
group-override-attr-type string	Group-Override-Attr-Type. Choices: filter-Id class
h3c-compatibility string	Enable/disable compatibility with the H3C, a mechanism that performs security checking for authentication. Choices: disable enable
interface string	Specify outgoing interface to reach server.
interface-select-method string	Specify how to select outgoing interface to reach server. Choices: auto sdwan specify
nas-ip string	IP address used to communicate with the RADIUS server and used as NAS-IP-Address and Called-Station-ID attributes.
password-encoding string	Password encoding. Choices: ISO-8859-1 auto
password-renewal string	Enable/disable password renewal. Choices: disable enable
radius-coa string	Enable to allow a mechanism to change the attributes of an authentication, authorization, and accounting session after… Choices: disable enable
radius-port integer	RADIUS service port number.
rsso string	Enable/disable RADIUS based single sign on feature. Choices: disable enable
rsso-context-timeout integer	Time in seconds before the logged out user is removed from the “user context list” of logged on users.
rsso-endpoint-attribute string	RADIUS attributes used to extract the user end point identifer from the RADIUS Start record. Choices: User-Name User-Password CHAP-Password NAS-IP-Address NAS-Port Service-Type Framed-Protocol Framed-IP-Address Framed-IP-Netmask Framed-Routing Filter-Id Framed-MTU Framed-Compression Login-IP-Host Login-Service Login-TCP-Port Reply-Message Callback-Number Callback-Id Framed-Route Framed-IPX-Network State Class Session-Timeout Idle-Timeout Termination-Action Called-Station-Id Calling-Station-Id NAS-Identifier Proxy-State Login-LAT-Service Login-LAT-Node Login-LAT-Group Framed-AppleTalk-Link Framed-AppleTalk-Network Framed-AppleTalk-Zone Acct-Status-Type Acct-Delay-Time Acct-Input-Octets Acct-Output-Octets Acct-Session-Id Acct-Authentic Acct-Session-Time Acct-Input-Packets Acct-Output-Packets Acct-Terminate-Cause Acct-Multi-Session-Id Acct-Link-Count CHAP-Challenge NAS-Port-Type Port-Limit Login-LAT-Port
rsso-endpoint-block-attribute string	RADIUS attributes used to block a user. Choices: User-Name User-Password CHAP-Password NAS-IP-Address NAS-Port Service-Type Framed-Protocol Framed-IP-Address Framed-IP-Netmask Framed-Routing Filter-Id Framed-MTU Framed-Compression Login-IP-Host Login-Service Login-TCP-Port Reply-Message Callback-Number Callback-Id Framed-Route Framed-IPX-Network State Class Session-Timeout Idle-Timeout Termination-Action Called-Station-Id Calling-Station-Id NAS-Identifier Proxy-State Login-LAT-Service Login-LAT-Node Login-LAT-Group Framed-AppleTalk-Link Framed-AppleTalk-Network Framed-AppleTalk-Zone Acct-Status-Type Acct-Delay-Time Acct-Input-Octets Acct-Output-Octets Acct-Session-Id Acct-Authentic Acct-Session-Time Acct-Input-Packets Acct-Output-Packets Acct-Terminate-Cause Acct-Multi-Session-Id Acct-Link-Count CHAP-Challenge NAS-Port-Type Port-Limit Login-LAT-Port
rsso-ep-one-ip-only string	Enable/disable the replacement of old IP addresses with new ones for the same endpoint on RADIUS accounting Start mess… Choices: disable enable
rsso-flush-ip-session string	Enable/disable flushing user IP sessions on RADIUS accounting Stop messages. Choices: disable enable
rsso-log-flags list / elements=string	Events to log. Choices: none protocol-error profile-missing context-missing accounting-stop-missed accounting-event radiusd-other endpoint-block
rsso-log-period integer	Time interval in seconds that group event log messages will be generated for dynamic profile events.
rsso-radius-response string	Enable/disable sending RADIUS response packets after receiving Start and Stop records. Choices: disable enable
rsso-radius-server-port integer	UDP port to listen on for RADIUS Start and Stop records.
rsso-secret string	RADIUS secret used by the RADIUS accounting server.
rsso-validate-request-secret string	Enable/disable validating the RADIUS request shared secret in the Start or End record. Choices: disable enable
secondary-secret string	Secret key to access the secondary server.
secondary-server string	{<name_str\|ip_str>} secondary RADIUS CN domain name or IP.
secret string	Pre-shared secret key used to access the primary RADIUS server.
server string	Primary RADIUS server CN domain name or IP address.
source-ip string	Source IP address for communications to the RADIUS server.
sso-attribute string	RADIUS attribute that contains the profile group name to be extracted from the RADIUS Start record. Choices: User-Name User-Password CHAP-Password NAS-IP-Address NAS-Port Service-Type Framed-Protocol Framed-IP-Address Framed-IP-Netmask Framed-Routing Filter-Id Framed-MTU Framed-Compression Login-IP-Host Login-Service Login-TCP-Port Reply-Message Callback-Number Callback-Id Framed-Route Framed-IPX-Network State Class Session-Timeout Idle-Timeout Termination-Action Called-Station-Id Calling-Station-Id NAS-Identifier Proxy-State Login-LAT-Service Login-LAT-Node Login-LAT-Group Framed-AppleTalk-Link Framed-AppleTalk-Network Framed-AppleTalk-Zone Acct-Status-Type Acct-Delay-Time Acct-Input-Octets Acct-Output-Octets Acct-Session-Id Acct-Authentic Acct-Session-Time Acct-Input-Packets Acct-Output-Packets Acct-Terminate-Cause Acct-Multi-Session-Id Acct-Link-Count CHAP-Challenge NAS-Port-Type Port-Limit Login-LAT-Port
sso-attribute-key string	Key prefix for SSO group value in the SSO attribute.
sso-attribute-value-override string	Enable/disable override old attribute value with new value for the same endpoint. Choices: disable enable
switch-controller-acct-fast-framedip-detect integer	Switch-Controller-Acct-Fast-Framedip-Detect.
switch-controller-service-type list / elements=string	Switch-Controller-Service-Type. Choices: login framed callback-login callback-framed outbound administrative nas-prompt authenticate-only callback-nas-prompt call-check callback-administrative
tertiary-secret string	Secret key to access the tertiary server.
tertiary-server string	{<name_str\|ip_str>} tertiary RADIUS CN domain name or IP.
timeout integer	Time in seconds between re-sending authentication requests.
use-group-for-profile string	Use-Group-For-Profile. Choices: disable enable
use-management-vdom string	Enable/disable using management VDOM to send requests. Choices: disable enable
username-case-sensitive string	Enable/disable case sensitive user names. Choices: disable enable
group-override-attr-type string	RADIUS attribute type to override user group information. Choices: filter-Id class
h3c-compatibility string	Enable/disable compatibility with the H3C, a mechanism that performs security checking for authentication. Choices: disable enable
interface string	Specify outgoing interface to reach server.
interface-select-method string	Specify how to select outgoing interface to reach server. Choices: auto sdwan specify
name string	RADIUS server entry name.
nas-ip string	IP address used to communicate with the RADIUS server and used as NAS-IP-Address and Called-Station-ID attributes.
password-encoding string	Password encoding. Choices: ISO-8859-1 auto
password-renewal string	Enable/disable password renewal. Choices: disable enable
radius-coa string	Enable to allow a mechanism to change the attributes of an authentication, authorization, and accounting session after it is a… Choices: disable enable
radius-port integer	RADIUS service port number.
rsso string	Enable/disable RADIUS based single sign on feature. Choices: disable enable
rsso-context-timeout integer	Time in seconds before the logged out user is removed from the “user context list” of logged on users.
rsso-endpoint-attribute string	RADIUS attributes used to extract the user end point identifer from the RADIUS Start record. Choices: User-Name User-Password CHAP-Password NAS-IP-Address NAS-Port Service-Type Framed-Protocol Framed-IP-Address Framed-IP-Netmask Framed-Routing Filter-Id Framed-MTU Framed-Compression Login-IP-Host Login-Service Login-TCP-Port Reply-Message Callback-Number Callback-Id Framed-Route Framed-IPX-Network State Class Session-Timeout Idle-Timeout Termination-Action Called-Station-Id Calling-Station-Id NAS-Identifier Proxy-State Login-LAT-Service Login-LAT-Node Login-LAT-Group Framed-AppleTalk-Link Framed-AppleTalk-Network Framed-AppleTalk-Zone Acct-Status-Type Acct-Delay-Time Acct-Input-Octets Acct-Output-Octets Acct-Session-Id Acct-Authentic Acct-Session-Time Acct-Input-Packets Acct-Output-Packets Acct-Terminate-Cause Acct-Multi-Session-Id Acct-Link-Count CHAP-Challenge NAS-Port-Type Port-Limit Login-LAT-Port
rsso-endpoint-block-attribute string	RADIUS attributes used to block a user. Choices: User-Name User-Password CHAP-Password NAS-IP-Address NAS-Port Service-Type Framed-Protocol Framed-IP-Address Framed-IP-Netmask Framed-Routing Filter-Id Framed-MTU Framed-Compression Login-IP-Host Login-Service Login-TCP-Port Reply-Message Callback-Number Callback-Id Framed-Route Framed-IPX-Network State Class Session-Timeout Idle-Timeout Termination-Action Called-Station-Id Calling-Station-Id NAS-Identifier Proxy-State Login-LAT-Service Login-LAT-Node Login-LAT-Group Framed-AppleTalk-Link Framed-AppleTalk-Network Framed-AppleTalk-Zone Acct-Status-Type Acct-Delay-Time Acct-Input-Octets Acct-Output-Octets Acct-Session-Id Acct-Authentic Acct-Session-Time Acct-Input-Packets Acct-Output-Packets Acct-Terminate-Cause Acct-Multi-Session-Id Acct-Link-Count CHAP-Challenge NAS-Port-Type Port-Limit Login-LAT-Port
rsso-ep-one-ip-only string	Enable/disable the replacement of old IP addresses with new ones for the same endpoint on RADIUS accounting Start messages. Choices: disable enable
rsso-flush-ip-session string	Enable/disable flushing user IP sessions on RADIUS accounting Stop messages. Choices: disable enable
rsso-log-flags list / elements=string	Events to log. Choices: none protocol-error profile-missing context-missing accounting-stop-missed accounting-event radiusd-other endpoint-block
rsso-log-period integer	Time interval in seconds that group event log messages will be generated for dynamic profile events.
rsso-radius-response string	Enable/disable sending RADIUS response packets after receiving Start and Stop records. Choices: disable enable
rsso-radius-server-port integer	UDP port to listen on for RADIUS Start and Stop records.
rsso-secret string	RADIUS secret used by the RADIUS accounting server.
rsso-validate-request-secret string	Enable/disable validating the RADIUS request shared secret in the Start or End record. Choices: disable enable
secondary-secret string	Secret key to access the secondary server.
secondary-server string	{<name_str\|ip_str>} secondary RADIUS CN domain name or IP.
secret string	Pre-shared secret key used to access the primary RADIUS server.
server string	Primary RADIUS server CN domain name or IP address.
source-ip string	Source IP address for communications to the RADIUS server.
sso-attribute string	RADIUS attribute that contains the profile group name to be extracted from the RADIUS Start record. Choices: User-Name User-Password CHAP-Password NAS-IP-Address NAS-Port Service-Type Framed-Protocol Framed-IP-Address Framed-IP-Netmask Framed-Routing Filter-Id Framed-MTU Framed-Compression Login-IP-Host Login-Service Login-TCP-Port Reply-Message Callback-Number Callback-Id Framed-Route Framed-IPX-Network State Class Session-Timeout Idle-Timeout Termination-Action Called-Station-Id Calling-Station-Id NAS-Identifier Proxy-State Login-LAT-Service Login-LAT-Node Login-LAT-Group Framed-AppleTalk-Link Framed-AppleTalk-Network Framed-AppleTalk-Zone Acct-Status-Type Acct-Delay-Time Acct-Input-Octets Acct-Output-Octets Acct-Session-Id Acct-Authentic Acct-Session-Time Acct-Input-Packets Acct-Output-Packets Acct-Terminate-Cause Acct-Multi-Session-Id Acct-Link-Count CHAP-Challenge NAS-Port-Type Port-Limit Login-LAT-Port
sso-attribute-key string	Key prefix for SSO group value in the SSO attribute.
sso-attribute-value-override string	Enable/disable override old attribute value with new value for the same endpoint. Choices: disable enable
switch-controller-acct-fast-framedip-detect integer	Switch controller accounting message Framed-IP detection from DHCP snooping (seconds, default=2).
switch-controller-service-type list / elements=string	RADIUS service type. Choices: login framed callback-login callback-framed outbound administrative nas-prompt authenticate-only callback-nas-prompt call-check callback-administrative
tertiary-secret string	Secret key to access the tertiary server.
tertiary-server string	{<name_str\|ip_str>} tertiary RADIUS CN domain name or IP.
timeout integer	Time in seconds between re-sending authentication requests.
use-management-vdom string	Enable/disable using management VDOM to send requests. Choices: disable enable
username-case-sensitive string	Enable/disable case sensitive user names. Choices: disable enable
workspace_locking_adom string	the adom to lock for FortiManager running in workspace mode, the value can be global and others including root
workspace_locking_timeout integer	the maximum time in seconds to wait for other user to release the workspace lock Default: 300

Notes 

Note

Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work.
To create or update an object, use state present directive.
To delete an object, use state absent directive.
Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded

Examples 

- name: gathering fortimanager facts
  hosts: fortimanager00
  gather_facts: no
  connection: httpapi
  collections:
    - fortinet.fortimanager
  vars:
    ansible_httpapi_use_ssl: True
    ansible_httpapi_validate_certs: False
    ansible_httpapi_port: 443
  tasks:
   - name: retrieve all the RADIUS server entries
     fmgr_fact:
       facts:
           selector: 'user_radius'
           params:
               adom: 'ansible'
               radius: ''

- hosts: fortimanager00
  collections:
    - fortinet.fortimanager
  connection: httpapi
  vars:
     ansible_httpapi_use_ssl: True
     ansible_httpapi_validate_certs: False
     ansible_httpapi_port: 443
  tasks:
   - name: Configure RADIUS server entries.
     fmgr_user_radius:
        bypass_validation: False
        adom: ansible
        state: present
        user_radius:
           name: ansible-test-radius
           server: ansible
           timeout: 200

Return Values 

Common return values are documented here, the following are the fields unique to this module:

Key	Description
request_url string	The full url requested Returned: always Sample: “/sys/login/user”
response_code integer	The status of api request Returned: always Sample: 0
response_message string	The descriptive message of the api response Returned: always Sample: “OK.”

Authors

Link Zheng (@chillancezen)
Jie Xue (@JieX19)
Frank Shen (@fshen01)
Hongbin Lu (@fgtdev-hblu)

Collection links

Issue Tracker Homepage Repository (Sources)

fortinet.fortimanager.fmgr_user_radius module – Configure RADIUS server entries.

Synopsis

Parameters

Notes

Examples

Return Values