fortinet.fortimanager.fmgr_vap module – Configure Virtual Access Points

Note

This module is part of the fortinet.fortimanager collection (version 2.1.5).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install fortinet.fortimanager.

To use it in a playbook, specify: fortinet.fortimanager.fmgr_vap.

New in version 2.10: of fortinet.fortimanager

Synopsis

  • This module is able to configure a FortiManager device.

  • Examples include all parameters and values which need to be adjusted to data sources before usage.

Parameters

Parameter

Comments

adom

string / required

the parameter (adom) in requested url

bypass_validation

boolean

only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters

Choices:

  • no ← (default)

  • yes

enable_log

boolean

Enable/Disable logging for task

Choices:

  • no ← (default)

  • yes

proposed_method

string

The overridden method for the underlying Json RPC request

Choices:

  • update

  • set

  • add

rc_failed

list / elements=string

the rc codes list with which the conditions to fail will be overriden

rc_succeeded

list / elements=string

the rc codes list with which the conditions to succeed will be overriden

state

string / required

the directive to create, update or delete an object

Choices:

  • present

  • absent

vap

dictionary

the top level parameters set

_centmgmt

string

_Centmgmt.

Choices:

  • disable ← (default)

  • enable

_dhcp_svr_id

string

_Dhcp_Svr_Id.

_intf_allowaccess

list / elements=string

_Intf_Allowaccess.

Choices:

  • https

  • ping

  • ssh

  • snmp

  • http

  • telnet

  • fgfm

  • auto-ipsec

  • radius-acct

  • probe-response

  • capwap

_intf_device-access-list

string

_Intf_Device-Access-List.

_intf_device-identification

string

_Intf_Device-Identification.

Choices:

  • disable ← (default)

  • enable

_intf_device-netscan

string

_Intf_Device-Netscan.

Choices:

  • disable ← (default)

  • enable

_intf_dhcp-relay-ip

string

_Intf_Dhcp-Relay-Ip.

_intf_dhcp-relay-service

string

_Intf_Dhcp-Relay-Service.

Choices:

  • disable ← (default)

  • enable

_intf_dhcp-relay-type

string

_Intf_Dhcp-Relay-Type.

Choices:

  • regular ← (default)

  • ipsec

_intf_dhcp6-relay-ip

string

_Intf_Dhcp6-Relay-Ip.

_intf_dhcp6-relay-service

string

_Intf_Dhcp6-Relay-Service.

Choices:

  • disable ← (default)

  • enable

_intf_dhcp6-relay-type

string

_Intf_Dhcp6-Relay-Type.

Choices:

  • regular ← (default)

_intf_ip

string

_Intf_Ip.

_intf_ip6-address

string

_Intf_Ip6-Address.

_intf_ip6-allowaccess

list / elements=string

_Intf_Ip6-Allowaccess.

Choices:

  • https

  • ping

  • ssh

  • snmp

  • http

  • telnet

  • any

  • fgfm

  • capwap

_intf_listen-forticlient-connection

string

_Intf_Listen-Forticlient-Connection.

Choices:

  • disable ← (default)

  • enable

access-control-list

string

access-control-list profile name.

acct-interim-interval

integer

WiFi RADIUS accounting interim interval (60 - 86400 sec, default = 0).

additional-akms

list / elements=string

Additional AKMs.

Choices:

  • akm6

address-group

string

Address group ID.

alias

string

Alias.

atf-weight

integer

Airtime weight in percentage (default = 20).

auth

string

Authentication protocol.

Choices:

  • PSK

  • psk

  • RADIUS

  • radius

  • usergroup

broadcast-ssid

string

Enable/disable broadcasting the SSID (default = enable).

Choices:

  • disable

  • enable

broadcast-suppression

list / elements=string

Optional suppression of broadcast messages. For example, you can keep DHCP messages, ARP broadcasts, and so on off of the wireless network.

Choices:

  • dhcp

  • arp

  • dhcp2

  • arp2

  • netbios-ns

  • netbios-ds

  • arp3

  • dhcp-up

  • dhcp-down

  • arp-known

  • arp-unknown

  • arp-reply

  • ipv6

  • dhcp-starvation

  • arp-poison

  • all-other-mc

  • all-other-bc

  • arp-proxy

  • dhcp-ucast

bss-color-partial

string

Enable/disable 802.11ax partial BSS color (default = enable).

Choices:

  • disable

  • enable

bstm-disassociation-imminent

string

Enable/disable forcing of disassociation after the BSTM request timer has been reached (default = enable).

Choices:

  • disable

  • enable

bstm-load-balancing-disassoc-timer

integer

Time interval for client to voluntarily leave AP before forcing a disassociation due to AP load-balancing (0 to 30, default = …

bstm-rssi-disassoc-timer

integer

Time interval for client to voluntarily leave AP before forcing a disassociation due to low RSSI (0 to 2000, default = 200).

captive-portal-ac-name

string

Local-bridging captive portal ac-name.

captive-portal-auth-timeout

integer

Hard timeout - AP will always clear the session after timeout regardless of traffic (0 - 864000 sec, default = 0).

captive-portal-macauth-radius-secret

string

Secret key to access the macauth RADIUS server.

captive-portal-macauth-radius-server

string

Captive portal external RADIUS server domain name or IP address.

captive-portal-radius-secret

string

Secret key to access the RADIUS server.

captive-portal-radius-server

string

Captive portal RADIUS server domain name or IP address.

captive-portal-session-timeout-interval

integer

Session timeout interval (0 - 864000 sec, default = 0).

dhcp-address-enforcement

string

Enable/disable DHCP address enforcement (default = disable).

Choices:

  • disable

  • enable

dhcp-lease-time

integer

DHCP lease time in seconds for NAT IP address.

dhcp-option43-insertion

string

Enable/disable insertion of DHCP option 43 (default = enable).

Choices:

  • disable

  • enable

dhcp-option82-circuit-id-insertion

string

Enable/disable DHCP option 82 circuit-id insert (default = disable).

Choices:

  • disable

  • style-1

  • style-2

  • style-3

dhcp-option82-insertion

string

Enable/disable DHCP option 82 insert (default = disable).

Choices:

  • disable

  • enable

dhcp-option82-remote-id-insertion

string

Enable/disable DHCP option 82 remote-id insert (default = disable).

Choices:

  • disable

  • style-1

dynamic-vlan

string

Enable/disable dynamic VLAN assignment.

Choices:

  • disable

  • enable

dynamic_mapping

list / elements=string

Dynamic_Mapping.

_centmgmt

string

_Centmgmt.

Choices:

  • disable ← (default)

  • enable

_dhcp_svr_id

string

_Dhcp_Svr_Id.

_intf_allowaccess

list / elements=string

_Intf_Allowaccess.

Choices:

  • https

  • ping

  • ssh

  • snmp

  • http

  • telnet

  • fgfm

  • auto-ipsec

  • radius-acct

  • probe-response

  • capwap

_intf_device-access-list

string

_Intf_Device-Access-List.

_intf_device-identification

string

_Intf_Device-Identification.

Choices:

  • disable ← (default)

  • enable

_intf_device-netscan

string

_Intf_Device-Netscan.

Choices:

  • disable ← (default)

  • enable

_intf_dhcp-relay-ip

string

_Intf_Dhcp-Relay-Ip.

_intf_dhcp-relay-service

string

_Intf_Dhcp-Relay-Service.

Choices:

  • disable ← (default)

  • enable

_intf_dhcp-relay-type

string

_Intf_Dhcp-Relay-Type.

Choices:

  • regular ← (default)

  • ipsec

_intf_dhcp6-relay-ip

string

_Intf_Dhcp6-Relay-Ip.

_intf_dhcp6-relay-service

string

_Intf_Dhcp6-Relay-Service.

Choices:

  • disable ← (default)

  • enable

_intf_dhcp6-relay-type

string

_Intf_Dhcp6-Relay-Type.

Choices:

  • regular ← (default)

_intf_ip

string

_Intf_Ip.

_intf_ip6-address

string

_Intf_Ip6-Address.

_intf_ip6-allowaccess

list / elements=string

_Intf_Ip6-Allowaccess.

Choices:

  • https

  • ping

  • ssh

  • snmp

  • http

  • telnet

  • any

  • fgfm

  • capwap

_intf_listen-forticlient-connection

string

_Intf_Listen-Forticlient-Connection.

Choices:

  • disable ← (default)

  • enable

_scope

list / elements=string

_Scope.

name

string

Name.

vdom

string

Vdom.

access-control-list

string

Access-Control-List.

acct-interim-interval

integer

WiFi RADIUS accounting interim interval (60 - 86400 sec, default = 0).

additional-akms

list / elements=string

Additional-Akms.

Choices:

  • akm6

address-group

string

Address group ID.

alias

string

Alias.

atf-weight

integer

Airtime weight in percentage (default = 20).

auth

string

Authentication protocol.

Choices:

  • PSK

  • psk

  • RADIUS

  • radius

  • usergroup

broadcast-ssid

string

Enable/disable broadcasting the SSID (default = enable).

Choices:

  • disable

  • enable

broadcast-suppression

list / elements=string

Optional suppression of broadcast messages. For example, you can keep DHCP messages, ARP broadcasts, and so on off of the wireless network.

Choices:

  • dhcp

  • arp

  • dhcp2

  • arp2

  • netbios-ns

  • netbios-ds

  • arp3

  • dhcp-up

  • dhcp-down

  • arp-known

  • arp-unknown

  • arp-reply

  • ipv6

  • dhcp-starvation

  • arp-poison

  • all-other-mc

  • all-other-bc

  • arp-proxy

  • dhcp-ucast

bss-color-partial

string

Bss-Color-Partial.

Choices:

  • disable

  • enable

bstm-disassociation-imminent

string

Enable/disable forcing of disassociation after the BSTM request timer has been reached (default = enable).

Choices:

  • disable

  • enable

bstm-load-balancing-disassoc-timer

integer

Time interval for client to voluntarily leave AP before forcing a disassociation due to AP load-balancing (0 to 30, de…

bstm-rssi-disassoc-timer

integer

Time interval for client to voluntarily leave AP before forcing a disassociation due to low RSSI (0 to 2000, default =…

captive-portal-ac-name

string

Local-bridging captive portal ac-name.

captive-portal-auth-timeout

integer

Captive-Portal-Auth-Timeout.

captive-portal-macauth-radius-secret

string

Secret key to access the macauth RADIUS server.

captive-portal-macauth-radius-server

string

Captive portal external RADIUS server domain name or IP address.

captive-portal-radius-secret

string

Secret key to access the RADIUS server.

captive-portal-radius-server

string

Captive portal RADIUS server domain name or IP address.

captive-portal-session-timeout-interval

integer

Session timeout interval (0 - 864000 sec, default = 0).

client-count

integer

Client-Count.

dhcp-address-enforcement

string

Enable/disable DHCP address enforcement (default = disable).

Choices:

  • disable

  • enable

dhcp-lease-time

integer

DHCP lease time in seconds for NAT IP address.

dhcp-option43-insertion

string

Dhcp-Option43-Insertion.

Choices:

  • disable

  • enable

dhcp-option82-circuit-id-insertion

string

Enable/disable DHCP option 82 circuit-id insert (default = disable).

Choices:

  • disable

  • style-1

  • style-2

  • style-3

dhcp-option82-insertion

string

Enable/disable DHCP option 82 insert (default = disable).

Choices:

  • disable

  • enable

dhcp-option82-remote-id-insertion

string

Enable/disable DHCP option 82 remote-id insert (default = disable).

Choices:

  • disable

  • style-1

dynamic-vlan

string

Enable/disable dynamic VLAN assignment.

Choices:

  • disable

  • enable

eap-reauth

string

Enable/disable EAP re-authentication for WPA-Enterprise security.

Choices:

  • disable

  • enable

eap-reauth-intv

integer

EAP re-authentication interval (1800 - 864000 sec, default = 86400).

eapol-key-retries

string

Enable/disable retransmission of EAPOL-Key frames (message 3/4 and group message 1/2) (default = enable).

Choices:

  • disable

  • enable

encrypt

string

Encryption protocol to use (only available when security is set to a WPA type).

Choices:

  • TKIP

  • AES

  • TKIP-AES

external-fast-roaming

string

Enable/disable fast roaming or pre-authentication with external APs not managed by the FortiGate (default = disable).

Choices:

  • disable

  • enable

external-logout

string

URL of external authentication logout server.

external-web

string

URL of external authentication web server.

external-web-format

string

URL query parameter detection (default = auto-detect).

Choices:

  • auto-detect

  • no-query-string

  • partial-query-string

fast-bss-transition

string

Enable/disable 802.11r Fast BSS Transition (FT) (default = disable).

Choices:

  • disable

  • enable

fast-roaming

string

Enable/disable fast-roaming, or pre-authentication, where supported by clients (default = disable).

Choices:

  • disable

  • enable

ft-mobility-domain

integer

Mobility domain identifier in FT (1 - 65535, default = 1000).

ft-over-ds

string

Enable/disable FT over the Distribution System (DS).

Choices:

  • disable

  • enable

ft-r0-key-lifetime

integer

Lifetime of the PMK-R0 key in FT, 1-65535 minutes.

gas-comeback-delay

integer

GAS comeback delay (0 or 100 - 10000 milliseconds, default = 500).

gas-fragmentation-limit

integer

GAS fragmentation limit (512 - 4096, default = 1024).

gtk-rekey

string

Enable/disable GTK rekey for WPA security.

Choices:

  • disable

  • enable

gtk-rekey-intv

integer

GTK rekey interval (1800 - 864000 sec, default = 86400).

high-efficiency

string

Enable/disable 802.11ax high efficiency (default = enable).

Choices:

  • disable

  • enable

hotspot20-profile

string

Hotspot 2.0 profile name.

igmp-snooping

string

Enable/disable IGMP snooping.

Choices:

  • disable

  • enable

intra-vap-privacy

string

Enable/disable blocking communication between clients on the same SSID (called intra-SSID privacy) (default = disable).

Choices:

  • disable

  • enable

ip

string

IP address and subnet mask for the local standalone NAT subnet.

ipv6-rules

list / elements=string

Ipv6-Rules.

Choices:

  • drop-icmp6ra

  • drop-icmp6rs

  • drop-llmnr6

  • drop-icmp6mld2

  • drop-dhcp6s

  • drop-dhcp6c

  • ndp-proxy

  • drop-ns-dad

  • drop-ns-nondad

key

string

WEP Key.

keyindex

integer

WEP key index (1 - 4).

ldpc

string

VAP low-density parity-check (LDPC) coding configuration.

Choices:

  • disable

  • tx

  • rx

  • rxtx

local-authentication

string

Enable/disable AP local authentication.

Choices:

  • disable

  • enable

local-bridging

string

Enable/disable bridging of wireless and Ethernet interfaces on the FortiAP (default = disable).

Choices:

  • disable

  • enable

local-lan

string

Allow/deny traffic destined for a Class A, B, or C private IP address (default = allow).

Choices:

  • deny

  • allow

local-standalone

string

Enable/disable AP local standalone (default = disable).

Choices:

  • disable

  • enable

local-standalone-nat

string

Enable/disable AP local standalone NAT mode.

Choices:

  • disable

  • enable

local-switching

string

Local-Switching.

Choices:

  • disable

  • enable

mac-auth-bypass

string

Enable/disable MAC authentication bypass.

Choices:

  • disable

  • enable

mac-called-station-delimiter

string

MAC called station delimiter (default = hyphen).

Choices:

  • hyphen

  • single-hyphen

  • colon

  • none

mac-calling-station-delimiter

string

MAC calling station delimiter (default = hyphen).

Choices:

  • hyphen

  • single-hyphen

  • colon

  • none

mac-case

string

MAC case (default = uppercase).

Choices:

  • uppercase

  • lowercase

mac-filter

string

Enable/disable MAC filtering to block wireless clients by mac address.

Choices:

  • disable

  • enable

mac-filter-policy-other

string

Allow or block clients with MAC addresses that are not in the filter list.

Choices:

  • deny

  • allow

mac-password-delimiter

string

MAC authentication password delimiter (default = hyphen).

Choices:

  • hyphen

  • single-hyphen

  • colon

  • none

mac-username-delimiter

string

MAC authentication username delimiter (default = hyphen).

Choices:

  • hyphen

  • single-hyphen

  • colon

  • none

max-clients

integer

Maximum number of clients that can connect simultaneously to the VAP (default = 0, meaning no limitation).

max-clients-ap

integer

Maximum number of clients that can connect simultaneously to the VAP per AP radio (default = 0, meaning no limitation).

mbo

string

Enable/disable Multiband Operation (default = disable).

Choices:

  • disable

  • enable

mbo-cell-data-conn-pref

string

MBO cell data connection preference (0, 1, or 255, default = 1).

Choices:

  • excluded

  • prefer-not

  • prefer-use

me-disable-thresh

integer

Disable multicast enhancement when this many clients are receiving multicast traffic.

mesh-backhaul

string

Enable/disable using this VAP as a WiFi mesh backhaul (default = disable). This entry is only available when security …

Choices:

  • disable

  • enable

mpsk

string

Enable/disable multiple PSK authentication.

Choices:

  • disable

  • enable

mpsk-concurrent-clients

integer

Maximum number of concurrent clients that connect using the same passphrase in multiple PSK authentication (0 - 65535,…

mpsk-profile

string

Mpsk-Profile.

mu-mimo

string

Enable/disable Multi-user MIMO (default = enable).

Choices:

  • disable

  • enable

multicast-enhance

string

Enable/disable converting multicast to unicast to improve performance (default = disable).

Choices:

  • disable

  • enable

multicast-rate

string

Multicast rate (0, 6000, 12000, or 24000 kbps, default = 0).

Choices:

  • 0

  • 6000

  • 12000

  • 24000

nac

string

Enable/disable network access control.

Choices:

  • disable

  • enable

nac-profile

string

NAC profile name.

neighbor-report-dual-band

string

Enable/disable dual-band neighbor report (default = disable).

Choices:

  • disable

  • enable

okc

string

Enable/disable Opportunistic Key Caching (OKC) (default = enable).

Choices:

  • disable

  • enable

owe-groups

list / elements=string

OWE-Groups.

Choices:

  • 19

  • 20

  • 21

owe-transition

string

Enable/disable OWE transition mode support.

Choices:

  • disable

  • enable

owe-transition-ssid

string

OWE transition mode peer SSID.

passphrase

string

WPA pre-shared key (PSK) to be used to authenticate WiFi users.

pmf

string

Protected Management Frames (PMF) support (default = disable).

Choices:

  • disable

  • enable

  • optional

pmf-assoc-comeback-timeout

integer

Protected Management Frames (PMF) comeback maximum timeout (1-20 sec).

pmf-sa-query-retry-timeout

integer

Protected Management Frames (PMF) SA query retry timeout interval (1 - 5 100s of msec).

port-macauth

string

Enable/disable LAN port MAC authentication (default = disable).

Choices:

  • disable

  • radius

  • address-group

port-macauth-reauth-timeout

integer

LAN port MAC authentication re-authentication timeout value (default = 7200 sec).

port-macauth-timeout

integer

LAN port MAC authentication idle timeout value (default = 600 sec).

portal-message-override-group

string

Replacement message group for this VAP (only available when security is set to a captive portal type).

portal-type

string

Captive portal functionality. Configure how the captive portal authenticates users and whether it includes a disclaimer.

Choices:

  • auth

  • auth+disclaimer

  • disclaimer

  • email-collect

  • cmcc

  • cmcc-macauth

  • auth-mac

  • external-auth

  • external-macauth

primary-wag-profile

string

Primary wireless access gateway profile name.

probe-resp-suppression

string

Enable/disable probe response suppression (to ignore weak signals) (default = disable).

Choices:

  • disable

  • enable

probe-resp-threshold

string

Minimum signal level/threshold in dBm required for the AP response to probe requests (-95 to -20, default = -80).

ptk-rekey

string

Enable/disable PTK rekey for WPA-Enterprise security.

Choices:

  • disable

  • enable

ptk-rekey-intv

integer

PTK rekey interval (1800 - 864000 sec, default = 86400).

qos-profile

string

Quality of service profile name.

quarantine

string

Enable/disable station quarantine (default = enable).

Choices:

  • disable

  • enable

radio-2g-threshold

string

Minimum signal level/threshold in dBm required for the AP response to receive a packet in 2.4G band (-95 to -20, defau…

radio-5g-threshold

string

Minimum signal level/threshold in dBm required for the AP response to receive a packet in 5G band(-95 to -20, default …

radio-sensitivity

string

Enable/disable software radio sensitivity (to ignore weak signals) (default = disable).

Choices:

  • disable

  • enable

radius-mac-auth

string

Enable/disable RADIUS-based MAC authentication of clients (default = disable).

Choices:

  • disable

  • enable

radius-mac-auth-server

string

RADIUS-based MAC authentication server.

radius-mac-auth-usergroups

string

Selective user groups that are permitted for RADIUS mac authentication.

radius-server

string

RADIUS server to be used to authenticate WiFi users.

rates-11a

list / elements=string

Allowed data rates for 802.11a.

Choices:

  • 1

  • 1-basic

  • 2

  • 2-basic

  • 5.5

  • 5.5-basic

  • 6

  • 6-basic

  • 9

  • 9-basic

  • 12

  • 12-basic

  • 18

  • 18-basic

  • 24

  • 24-basic

  • 36

  • 36-basic

  • 48

  • 48-basic

  • 54

  • 54-basic

  • 11

  • 11-basic

rates-11ac-ss12

list / elements=string

Allowed data rates for 802.11ac/ax with 1 or 2 spatial streams.

Choices:

  • mcs0/1

  • mcs1/1

  • mcs2/1

  • mcs3/1

  • mcs4/1

  • mcs5/1

  • mcs6/1

  • mcs7/1

  • mcs8/1

  • mcs9/1

  • mcs0/2

  • mcs1/2

  • mcs2/2

  • mcs3/2

  • mcs4/2

  • mcs5/2

  • mcs6/2

  • mcs7/2

  • mcs8/2

  • mcs9/2

  • mcs10/1

  • mcs11/1

  • mcs10/2

  • mcs11/2

rates-11ac-ss34

list / elements=string

Allowed data rates for 802.11ac/ax with 3 or 4 spatial streams.

Choices:

  • mcs0/3

  • mcs1/3

  • mcs2/3

  • mcs3/3

  • mcs4/3

  • mcs5/3

  • mcs6/3

  • mcs7/3

  • mcs8/3

  • mcs9/3

  • mcs0/4

  • mcs1/4

  • mcs2/4

  • mcs3/4

  • mcs4/4

  • mcs5/4

  • mcs6/4

  • mcs7/4

  • mcs8/4

  • mcs9/4

  • mcs10/3

  • mcs11/3

  • mcs10/4

  • mcs11/4

rates-11bg

list / elements=string

Allowed data rates for 802.11b/g.

Choices:

  • 1

  • 1-basic

  • 2

  • 2-basic

  • 5.5

  • 5.5-basic

  • 6

  • 6-basic

  • 9

  • 9-basic

  • 12

  • 12-basic

  • 18

  • 18-basic

  • 24

  • 24-basic

  • 36

  • 36-basic

  • 48

  • 48-basic

  • 54

  • 54-basic

  • 11

  • 11-basic

rates-11n-ss12

list / elements=string

Allowed data rates for 802.11n with 1 or 2 spatial streams.

Choices:

  • mcs0/1

  • mcs1/1

  • mcs2/1

  • mcs3/1

  • mcs4/1

  • mcs5/1

  • mcs6/1

  • mcs7/1

  • mcs8/2

  • mcs9/2

  • mcs10/2

  • mcs11/2

  • mcs12/2

  • mcs13/2

  • mcs14/2

  • mcs15/2

rates-11n-ss34

list / elements=string

Allowed data rates for 802.11n with 3 or 4 spatial streams.

Choices:

  • mcs16/3

  • mcs17/3

  • mcs18/3

  • mcs19/3

  • mcs20/3

  • mcs21/3

  • mcs22/3

  • mcs23/3

  • mcs24/4

  • mcs25/4

  • mcs26/4

  • mcs27/4

  • mcs28/4

  • mcs29/4

  • mcs30/4

  • mcs31/4

sae-groups

list / elements=string

SAE-Groups.

Choices:

  • 1

  • 2

  • 5

  • 14

  • 15

  • 16

  • 17

  • 18

  • 19

  • 20

  • 21

  • 27

  • 28

  • 29

  • 30

  • 31

sae-password

string

WPA3 SAE password to be used to authenticate WiFi users.

schedule

string

Firewall schedules for enabling this VAP on the FortiAP. This VAP will be enabled when at least one of the schedules i…

secondary-wag-profile

string

Secondary wireless access gateway profile name.

security

string

Security mode for the wireless interface (default = wpa2-only-personal).

Choices:

  • None

  • WEP64

  • wep64

  • WEP128

  • wep128

  • WPA_PSK

  • WPA_RADIUS

  • WPA

  • WPA2

  • WPA2_AUTO

  • open

  • wpa-personal

  • wpa-enterprise

  • captive-portal

  • wpa-only-personal

  • wpa-only-enterprise

  • wpa2-only-personal

  • wpa2-only-enterprise

  • wpa-personal+captive-portal

  • wpa-only-personal+captive-portal

  • wpa2-only-personal+captive-portal

  • osen

  • wpa3-enterprise

  • sae

  • sae-transition

  • owe

  • wpa3-sae

  • wpa3-sae-transition

  • wpa3-only-enterprise

  • wpa3-enterprise-transition

security-exempt-list

string

Optional security exempt list for captive portal authentication.

security-obsolete-option

string

Enable/disable obsolete security options.

Choices:

  • disable

  • enable

security-redirect-url

string

Optional URL for redirecting users after they pass captive portal authentication.

selected-usergroups

string

Selective user groups that are permitted to authenticate.

split-tunneling

string

Enable/disable split tunneling (default = disable).

Choices:

  • disable

  • enable

ssid

string

IEEE 802.11 service set identifier (SSID) for the wireless interface. Users who wish to use the wireless network must …

sticky-client-remove

string

Sticky-Client-Remove.

Choices:

  • disable

  • enable

sticky-client-threshold-2g

string

Sticky-Client-Threshold-2G.

sticky-client-threshold-5g

string

Sticky-Client-Threshold-5G.

target-wake-time

string

Enable/disable 802.11ax target wake time (default = enable).

Choices:

  • disable

  • enable

tkip-counter-measure

string

Enable/disable TKIP counter measure.

Choices:

  • disable

  • enable

tunnel-echo-interval

integer

The time interval to send echo to both primary and secondary tunnel peers (1 - 65535 sec, default = 300).

tunnel-fallback-interval

integer

The time interval for secondary tunnel to fall back to primary tunnel (0 - 65535 sec, default = 7200).

usergroup

string

Firewall user group to be used to authenticate WiFi users.

utm-profile

string

UTM profile name.

vdom

string

Vdom.

vlan-auto

string

Enable/disable automatic management of SSID VLAN interface.

Choices:

  • disable

  • enable

vlan-pooling

string

Enable/disable VLAN pooling, to allow grouping of multiple wireless controller VLANs into VLAN pools (default = disabl…

Choices:

  • wtp-group

  • round-robin

  • hash

  • disable

vlanid

integer

Optional VLAN ID.

voice-enterprise

string

Enable/disable 802.11k and 802.11v assisted Voice-Enterprise roaming (default = disable).

Choices:

  • disable

  • enable

eap-reauth

string

Enable/disable EAP re-authentication for WPA-Enterprise security.

Choices:

  • disable

  • enable

eap-reauth-intv

integer

EAP re-authentication interval (1800 - 864000 sec, default = 86400).

eapol-key-retries

string

Enable/disable retransmission of EAPOL-Key frames (message 3/4 and group message 1/2) (default = enable).

Choices:

  • disable

  • enable

encrypt

string

Encryption protocol to use (only available when security is set to a WPA type).

Choices:

  • TKIP

  • AES

  • TKIP-AES

external-fast-roaming

string

Enable/disable fast roaming or pre-authentication with external APs not managed by the FortiGate (default = disable).

Choices:

  • disable

  • enable

external-logout

string

URL of external authentication logout server.

external-web

string

URL of external authentication web server.

external-web-format

string

URL query parameter detection (default = auto-detect).

Choices:

  • auto-detect

  • no-query-string

  • partial-query-string

fast-bss-transition

string

Enable/disable 802.11r Fast BSS Transition (FT) (default = disable).

Choices:

  • disable

  • enable

fast-roaming

string

Enable/disable fast-roaming, or pre-authentication, where supported by clients (default = disable).

Choices:

  • disable

  • enable

ft-mobility-domain

integer

Mobility domain identifier in FT (1 - 65535, default = 1000).

ft-over-ds

string

Enable/disable FT over the Distribution System (DS).

Choices:

  • disable

  • enable

ft-r0-key-lifetime

integer

Lifetime of the PMK-R0 key in FT, 1-65535 minutes.

gas-comeback-delay

integer

GAS comeback delay (0 or 100 - 10000 milliseconds, default = 500).

gas-fragmentation-limit

integer

GAS fragmentation limit (512 - 4096, default = 1024).

gtk-rekey

string

Enable/disable GTK rekey for WPA security.

Choices:

  • disable

  • enable

gtk-rekey-intv

integer

GTK rekey interval (1800 - 864000 sec, default = 86400).

high-efficiency

string

Enable/disable 802.11ax high efficiency (default = enable).

Choices:

  • disable

  • enable

hotspot20-profile

string

Hotspot 2.0 profile name.

igmp-snooping

string

Enable/disable IGMP snooping.

Choices:

  • disable

  • enable

intra-vap-privacy

string

Enable/disable blocking communication between clients on the same SSID (called intra-SSID privacy) (default = disable).

Choices:

  • disable

  • enable

ip

string

IP address and subnet mask for the local standalone NAT subnet.

ipv6-rules

list / elements=string

Optional rules of IPv6 packets. For example, you can keep RA, RS and so on off of the wireless network.

Choices:

  • drop-icmp6ra

  • drop-icmp6rs

  • drop-llmnr6

  • drop-icmp6mld2

  • drop-dhcp6s

  • drop-dhcp6c

  • ndp-proxy

  • drop-ns-dad

  • drop-ns-nondad

key

string

WEP Key.

keyindex

integer

WEP key index (1 - 4).

ldpc

string

VAP low-density parity-check (LDPC) coding configuration.

Choices:

  • disable

  • tx

  • rx

  • rxtx

local-authentication

string

Enable/disable AP local authentication.

Choices:

  • disable

  • enable

local-bridging

string

Enable/disable bridging of wireless and Ethernet interfaces on the FortiAP (default = disable).

Choices:

  • disable

  • enable

local-lan

string

Allow/deny traffic destined for a Class A, B, or C private IP address (default = allow).

Choices:

  • deny

  • allow

local-standalone

string

Enable/disable AP local standalone (default = disable).

Choices:

  • disable

  • enable

local-standalone-nat

string

Enable/disable AP local standalone NAT mode.

Choices:

  • disable

  • enable

mac-auth-bypass

string

Enable/disable MAC authentication bypass.

Choices:

  • disable

  • enable

mac-called-station-delimiter

string

MAC called station delimiter (default = hyphen).

Choices:

  • hyphen

  • single-hyphen

  • colon

  • none

mac-calling-station-delimiter

string

MAC calling station delimiter (default = hyphen).

Choices:

  • hyphen

  • single-hyphen

  • colon

  • none

mac-case

string

MAC case (default = uppercase).

Choices:

  • uppercase

  • lowercase

mac-filter

string

Enable/disable MAC filtering to block wireless clients by mac address.

Choices:

  • disable

  • enable

mac-filter-list

list / elements=string

Mac-Filter-List.

id

integer

ID.

mac

string

MAC address.

mac-filter-policy

string

Deny or allow the client with this MAC address.

Choices:

  • deny

  • allow

mac-filter-policy-other

string

Allow or block clients with MAC addresses that are not in the filter list.

Choices:

  • deny

  • allow

mac-password-delimiter

string

MAC authentication password delimiter (default = hyphen).

Choices:

  • hyphen

  • single-hyphen

  • colon

  • none

mac-username-delimiter

string

MAC authentication username delimiter (default = hyphen).

Choices:

  • hyphen

  • single-hyphen

  • colon

  • none

max-clients

integer

Maximum number of clients that can connect simultaneously to the VAP (default = 0, meaning no limitation).

max-clients-ap

integer

Maximum number of clients that can connect simultaneously to each radio (default = 0, meaning no limitation).

mbo

string

Enable/disable Multiband Operation (default = disable).

Choices:

  • disable

  • enable

mbo-cell-data-conn-pref

string

MBO cell data connection preference (0, 1, or 255, default = 1).

Choices:

  • excluded

  • prefer-not

  • prefer-use

me-disable-thresh

integer

Disable multicast enhancement when this many clients are receiving multicast traffic.

mesh-backhaul

string

Enable/disable using this VAP as a WiFi mesh backhaul (default = disable). This entry is only available when security is set t…

Choices:

  • disable

  • enable

mpsk

string

Enable/disable multiple pre-shared keys (PSKs.)

Choices:

  • disable

  • enable

mpsk-concurrent-clients

integer

Number of pre-shared keys (PSKs) to allow if multiple pre-shared keys are enabled.

mpsk-key

list / elements=string

Mpsk-Key.

comment

string

Comment.

concurrent-clients

string

Number of clients that can connect using this pre-shared key.

key-name

string

Pre-shared key name.

mpsk-schedules

string

Firewall schedule for MPSK passphrase. The passphrase will be effective only when at least one schedule is valid.

passphrase

string

WPA Pre-shared key.

mpsk-profile

string

MPSK profile name.

mu-mimo

string

Enable/disable Multi-user MIMO (default = enable).

Choices:

  • disable

  • enable

multicast-enhance

string

Enable/disable converting multicast to unicast to improve performance (default = disable).

Choices:

  • disable

  • enable

multicast-rate

string

Multicast rate (0, 6000, 12000, or 24000 kbps, default = 0).

Choices:

  • 0

  • 6000

  • 12000

  • 24000

nac

string

Enable/disable network access control.

Choices:

  • disable

  • enable

nac-profile

string

NAC profile name.

name

string

Virtual AP name.

neighbor-report-dual-band

string

Enable/disable dual-band neighbor report (default = disable).

Choices:

  • disable

  • enable

okc

string

Enable/disable Opportunistic Key Caching (OKC) (default = enable).

Choices:

  • disable

  • enable

owe-groups

list / elements=string

OWE-Groups.

Choices:

  • 19

  • 20

  • 21

owe-transition

string

Enable/disable OWE transition mode support.

Choices:

  • disable

  • enable

owe-transition-ssid

string

OWE transition mode peer SSID.

passphrase

string

WPA pre-shared key (PSK) to be used to authenticate WiFi users.

pmf

string

Protected Management Frames (PMF) support (default = disable).

Choices:

  • disable

  • enable

  • optional

pmf-assoc-comeback-timeout

integer

Protected Management Frames (PMF) comeback maximum timeout (1-20 sec).

pmf-sa-query-retry-timeout

integer

Protected Management Frames (PMF) SA query retry timeout interval (1 - 5 100s of msec).

port-macauth

string

Enable/disable LAN port MAC authentication (default = disable).

Choices:

  • disable

  • radius

  • address-group

port-macauth-reauth-timeout

integer

LAN port MAC authentication re-authentication timeout value (default = 7200 sec).

port-macauth-timeout

integer

LAN port MAC authentication idle timeout value (default = 600 sec).

portal-message-override-group

string

Replacement message group for this VAP (only available when security is set to a captive portal type).

portal-message-overrides

dictionary

no description

auth-disclaimer-page

string

Override auth-disclaimer-page message with message from portal-message-overrides group.

auth-login-failed-page

string

Override auth-login-failed-page message with message from portal-message-overrides group.

auth-login-page

string

Override auth-login-page message with message from portal-message-overrides group.

auth-reject-page

string

Override auth-reject-page message with message from portal-message-overrides group.

portal-type

string

Captive portal functionality. Configure how the captive portal authenticates users and whether it includes a disclaimer.

Choices:

  • auth

  • auth+disclaimer

  • disclaimer

  • email-collect

  • cmcc

  • cmcc-macauth

  • auth-mac

  • external-auth

  • external-macauth

primary-wag-profile

string

Primary wireless access gateway profile name.

probe-resp-suppression

string

Enable/disable probe response suppression (to ignore weak signals) (default = disable).

Choices:

  • disable

  • enable

probe-resp-threshold

string

Minimum signal level/threshold in dBm required for the AP response to probe requests (-95 to -20, default = -80).

ptk-rekey

string

Enable/disable PTK rekey for WPA-Enterprise security.

Choices:

  • disable

  • enable

ptk-rekey-intv

integer

PTK rekey interval (1800 - 864000 sec, default = 86400).

qos-profile

string

Quality of service profile name.

quarantine

string

Enable/disable station quarantine (default = enable).

Choices:

  • disable

  • enable

radio-2g-threshold

string

Minimum signal level/threshold in dBm required for the AP response to receive a packet in 2.4G band (-95 to -20, default = -79).

radio-5g-threshold

string

Minimum signal level/threshold in dBm required for the AP response to receive a packet in 5G band(-95 to -20, default = -76).

radio-sensitivity

string

Enable/disable software radio sensitivity (to ignore weak signals) (default = disable).

Choices:

  • disable

  • enable

radius-mac-auth

string

Enable/disable RADIUS-based MAC authentication of clients (default = disable).

Choices:

  • disable

  • enable

radius-mac-auth-server

string

RADIUS-based MAC authentication server.

radius-mac-auth-usergroups

string

Selective user groups that are permitted for RADIUS mac authentication.

radius-server

string

RADIUS server to be used to authenticate WiFi users.

rates-11a

list / elements=string

Allowed data rates for 802.11a.

Choices:

  • 1

  • 1-basic

  • 2

  • 2-basic

  • 5.5

  • 5.5-basic

  • 6

  • 6-basic

  • 9

  • 9-basic

  • 12

  • 12-basic

  • 18

  • 18-basic

  • 24

  • 24-basic

  • 36

  • 36-basic

  • 48

  • 48-basic

  • 54

  • 54-basic

  • 11

  • 11-basic

rates-11ac-ss12

list / elements=string

Allowed data rates for 802.11ac/ax with 1 or 2 spatial streams.

Choices:

  • mcs0/1

  • mcs1/1

  • mcs2/1

  • mcs3/1

  • mcs4/1

  • mcs5/1

  • mcs6/1

  • mcs7/1

  • mcs8/1

  • mcs9/1

  • mcs0/2

  • mcs1/2

  • mcs2/2

  • mcs3/2

  • mcs4/2

  • mcs5/2

  • mcs6/2

  • mcs7/2

  • mcs8/2

  • mcs9/2

  • mcs10/1

  • mcs11/1

  • mcs10/2

  • mcs11/2

rates-11ac-ss34

list / elements=string

Allowed data rates for 802.11ac/ax with 3 or 4 spatial streams.

Choices:

  • mcs0/3

  • mcs1/3

  • mcs2/3

  • mcs3/3

  • mcs4/3

  • mcs5/3

  • mcs6/3

  • mcs7/3

  • mcs8/3

  • mcs9/3

  • mcs0/4

  • mcs1/4

  • mcs2/4

  • mcs3/4

  • mcs4/4

  • mcs5/4

  • mcs6/4

  • mcs7/4

  • mcs8/4

  • mcs9/4

  • mcs10/3

  • mcs11/3

  • mcs10/4

  • mcs11/4

rates-11bg

list / elements=string

Allowed data rates for 802.11b/g.

Choices:

  • 1

  • 1-basic

  • 2

  • 2-basic

  • 5.5

  • 5.5-basic

  • 6

  • 6-basic

  • 9

  • 9-basic

  • 12

  • 12-basic

  • 18

  • 18-basic

  • 24

  • 24-basic

  • 36

  • 36-basic

  • 48

  • 48-basic

  • 54

  • 54-basic

  • 11

  • 11-basic

rates-11n-ss12

list / elements=string

Allowed data rates for 802.11n with 1 or 2 spatial streams.

Choices:

  • mcs0/1

  • mcs1/1

  • mcs2/1

  • mcs3/1

  • mcs4/1

  • mcs5/1

  • mcs6/1

  • mcs7/1

  • mcs8/2

  • mcs9/2

  • mcs10/2

  • mcs11/2

  • mcs12/2

  • mcs13/2

  • mcs14/2

  • mcs15/2

rates-11n-ss34

list / elements=string

Allowed data rates for 802.11n with 3 or 4 spatial streams.

Choices:

  • mcs16/3

  • mcs17/3

  • mcs18/3

  • mcs19/3

  • mcs20/3

  • mcs21/3

  • mcs22/3

  • mcs23/3

  • mcs24/4

  • mcs25/4

  • mcs26/4

  • mcs27/4

  • mcs28/4

  • mcs29/4

  • mcs30/4

  • mcs31/4

sae-groups

list / elements=string

SAE-Groups.

Choices:

  • 1

  • 2

  • 5

  • 14

  • 15

  • 16

  • 17

  • 18

  • 19

  • 20

  • 21

  • 27

  • 28

  • 29

  • 30

  • 31

sae-password

string

WPA3 SAE password to be used to authenticate WiFi users.

schedule

string

VAP schedule name.

secondary-wag-profile

string

Secondary wireless access gateway profile name.

security

string

Security mode for the wireless interface (default = wpa2-only-personal).

Choices:

  • None

  • WEP64

  • wep64

  • WEP128

  • wep128

  • WPA_PSK

  • WPA_RADIUS

  • WPA

  • WPA2

  • WPA2_AUTO

  • open

  • wpa-personal

  • wpa-enterprise

  • captive-portal

  • wpa-only-personal

  • wpa-only-enterprise

  • wpa2-only-personal

  • wpa2-only-enterprise

  • wpa-personal+captive-portal

  • wpa-only-personal+captive-portal

  • wpa2-only-personal+captive-portal

  • osen

  • wpa3-enterprise

  • sae

  • sae-transition

  • owe

  • wpa3-sae

  • wpa3-sae-transition

  • wpa3-only-enterprise

  • wpa3-enterprise-transition

security-exempt-list

string

Optional security exempt list for captive portal authentication.

security-obsolete-option

string

Enable/disable obsolete security options.

Choices:

  • disable

  • enable

security-redirect-url

string

Optional URL for redirecting users after they pass captive portal authentication.

selected-usergroups

string

Selective user groups that are permitted to authenticate.

split-tunneling

string

Enable/disable split tunneling (default = disable).

Choices:

  • disable

  • enable

ssid

string

IEEE 802.11 service set identifier (SSID) for the wireless interface. Users who wish to use the wireless network must configur…

sticky-client-remove

string

Enable/disable sticky client remove to maintain good signal level clients in SSID. (default = disable).

Choices:

  • disable

  • enable

sticky-client-threshold-2g

string

Minimum signal level/threshold in dBm required for the 2G client to be serviced by the AP (-95 to -20, default = -79).

sticky-client-threshold-5g

string

Minimum signal level/threshold in dBm required for the 5G client to be serviced by the AP (-95 to -20, default = -76).

target-wake-time

string

Enable/disable 802.11ax target wake time (default = enable).

Choices:

  • disable

  • enable

tkip-counter-measure

string

Enable/disable TKIP counter measure.

Choices:

  • disable

  • enable

tunnel-echo-interval

integer

The time interval to send echo to both primary and secondary tunnel peers (1 - 65535 sec, default = 300).

tunnel-fallback-interval

integer

The time interval for secondary tunnel to fall back to primary tunnel (0 - 65535 sec, default = 7200).

usergroup

string

Firewall user group to be used to authenticate WiFi users.

utm-profile

string

UTM profile name.

vdom

string

Name of the VDOM that the Virtual AP has been added to.

vlan-auto

string

Enable/disable automatic management of SSID VLAN interface.

Choices:

  • disable

  • enable

vlan-pool

list / elements=string

Vlan-Pool.

_wtp-group

string

_Wtp-Group.

id

integer

ID.

wtp-group

string

WTP group name.

vlan-pooling

string

Enable/disable VLAN pooling, to allow grouping of multiple wireless controller VLANs into VLAN pools (default = disable). When…

Choices:

  • wtp-group

  • round-robin

  • hash

  • disable

vlanid

integer

Optional VLAN ID.

voice-enterprise

string

Enable/disable 802.11k and 802.11v assisted Voice-Enterprise roaming (default = disable).

Choices:

  • disable

  • enable

workspace_locking_adom

string

the adom to lock for FortiManager running in workspace mode, the value can be global and others including root

workspace_locking_timeout

integer

the maximum time in seconds to wait for other user to release the workspace lock

Default: 300

Notes

Note

  • Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work.

  • To create or update an object, use state present directive.

  • To delete an object, use state absent directive.

  • Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded

Examples

- hosts: fortimanager-inventory
  collections:
    - fortinet.fortimanager
  connection: httpapi
  vars:
     ansible_httpapi_use_ssl: True
     ansible_httpapi_validate_certs: False
     ansible_httpapi_port: 443
  tasks:
   - name: Configure Virtual Access Points
     fmgr_vap:
        bypass_validation: False
        workspace_locking_adom: <value in [global, custom adom including root]>
        workspace_locking_timeout: 300
        rc_succeeded: [0, -2, -3, ...]
        rc_failed: [-2, -3, ...]
        adom: <your own value>
        state: <value in [present, absent]>
        vap:
           _centmgmt: <value in [disable, enable]>
           _dhcp_svr_id: <value of string>
           _intf_allowaccess:
             - https
             - ping
             - ssh
             - snmp
             - http
             - telnet
             - fgfm
             - auto-ipsec
             - radius-acct
             - probe-response
             - capwap
           _intf_device-identification: <value in [disable, enable]>
           _intf_device-netscan: <value in [disable, enable]>
           _intf_dhcp-relay-ip: <value of string>
           _intf_dhcp-relay-service: <value in [disable, enable]>
           _intf_dhcp-relay-type: <value in [regular, ipsec]>
           _intf_dhcp6-relay-ip: <value of string>
           _intf_dhcp6-relay-service: <value in [disable, enable]>
           _intf_dhcp6-relay-type: <value in [regular]>
           _intf_ip: <value of string>
           _intf_ip6-address: <value of string>
           _intf_ip6-allowaccess:
             - https
             - ping
             - ssh
             - snmp
             - http
             - telnet
             - any
             - fgfm
             - capwap
           _intf_listen-forticlient-connection: <value in [disable, enable]>
           acct-interim-interval: <value of integer>
           alias: <value of string>
           auth: <value in [PSK, psk, RADIUS, ...]>
           broadcast-ssid: <value in [disable, enable]>
           broadcast-suppression:
             - dhcp
             - arp
             - dhcp2
             - arp2
             - netbios-ns
             - netbios-ds
             - arp3
             - dhcp-up
             - dhcp-down
             - arp-known
             - arp-unknown
             - arp-reply
             - ipv6
             - dhcp-starvation
             - arp-poison
             - all-other-mc
             - all-other-bc
             - arp-proxy
             - dhcp-ucast
           captive-portal-ac-name: <value of string>
           captive-portal-macauth-radius-secret: <value of string>
           captive-portal-macauth-radius-server: <value of string>
           captive-portal-radius-secret: <value of string>
           captive-portal-radius-server: <value of string>
           captive-portal-session-timeout-interval: <value of integer>
           dhcp-lease-time: <value of integer>
           dhcp-option82-circuit-id-insertion: <value in [disable, style-1, style-2, ...]>
           dhcp-option82-insertion: <value in [disable, enable]>
           dhcp-option82-remote-id-insertion: <value in [disable, style-1]>
           dynamic-vlan: <value in [disable, enable]>
           dynamic_mapping:
             -
                 _centmgmt: <value in [disable, enable]>
                 _dhcp_svr_id: <value of string>
                 _intf_allowaccess:
                   - https
                   - ping
                   - ssh
                   - snmp
                   - http
                   - telnet
                   - fgfm
                   - auto-ipsec
                   - radius-acct
                   - probe-response
                   - capwap
                 _intf_device-identification: <value in [disable, enable]>
                 _intf_device-netscan: <value in [disable, enable]>
                 _intf_dhcp-relay-ip: <value of string>
                 _intf_dhcp-relay-service: <value in [disable, enable]>
                 _intf_dhcp-relay-type: <value in [regular, ipsec]>
                 _intf_dhcp6-relay-ip: <value of string>
                 _intf_dhcp6-relay-service: <value in [disable, enable]>
                 _intf_dhcp6-relay-type: <value in [regular]>
                 _intf_ip: <value of string>
                 _intf_ip6-address: <value of string>
                 _intf_ip6-allowaccess:
                   - https
                   - ping
                   - ssh
                   - snmp
                   - http
                   - telnet
                   - any
                   - fgfm
                   - capwap
                 _intf_listen-forticlient-connection: <value in [disable, enable]>
                 _scope:
                   -
                       name: <value of string>
                       vdom: <value of string>
                 acct-interim-interval: <value of integer>
                 address-group: <value of string>
                 alias: <value of string>
                 atf-weight: <value of integer>
                 auth: <value in [PSK, psk, RADIUS, ...]>
                 broadcast-ssid: <value in [disable, enable]>
                 broadcast-suppression:
                   - dhcp
                   - arp
                   - dhcp2
                   - arp2
                   - netbios-ns
                   - netbios-ds
                   - arp3
                   - dhcp-up
                   - dhcp-down
                   - arp-known
                   - arp-unknown
                   - arp-reply
                   - ipv6
                   - dhcp-starvation
                   - arp-poison
                   - all-other-mc
                   - all-other-bc
                   - arp-proxy
                   - dhcp-ucast
                 captive-portal-ac-name: <value of string>
                 captive-portal-macauth-radius-secret: <value of string>
                 captive-portal-macauth-radius-server: <value of string>
                 captive-portal-radius-secret: <value of string>
                 captive-portal-radius-server: <value of string>
                 captive-portal-session-timeout-interval: <value of integer>
                 client-count: <value of integer>
                 dhcp-lease-time: <value of integer>
                 dhcp-option82-circuit-id-insertion: <value in [disable, style-1, style-2, ...]>
                 dhcp-option82-insertion: <value in [disable, enable]>
                 dhcp-option82-remote-id-insertion: <value in [disable, style-1]>
                 dynamic-vlan: <value in [disable, enable]>
                 eap-reauth: <value in [disable, enable]>
                 eap-reauth-intv: <value of integer>
                 eapol-key-retries: <value in [disable, enable]>
                 encrypt: <value in [TKIP, AES, TKIP-AES]>
                 external-fast-roaming: <value in [disable, enable]>
                 external-logout: <value of string>
                 external-web: <value of string>
                 fast-bss-transition: <value in [disable, enable]>
                 fast-roaming: <value in [disable, enable]>
                 ft-mobility-domain: <value of integer>
                 ft-over-ds: <value in [disable, enable]>
                 ft-r0-key-lifetime: <value of integer>
                 gtk-rekey: <value in [disable, enable]>
                 gtk-rekey-intv: <value of integer>
                 hotspot20-profile: <value of string>
                 intra-vap-privacy: <value in [disable, enable]>
                 ip: <value of string>
                 key: <value of string>
                 keyindex: <value of integer>
                 ldpc: <value in [disable, tx, rx, ...]>
                 local-authentication: <value in [disable, enable]>
                 local-bridging: <value in [disable, enable]>
                 local-lan: <value in [deny, allow]>
                 local-standalone: <value in [disable, enable]>
                 local-standalone-nat: <value in [disable, enable]>
                 local-switching: <value in [disable, enable]>
                 mac-auth-bypass: <value in [disable, enable]>
                 mac-filter: <value in [disable, enable]>
                 mac-filter-policy-other: <value in [deny, allow]>
                 max-clients: <value of integer>
                 max-clients-ap: <value of integer>
                 me-disable-thresh: <value of integer>
                 mesh-backhaul: <value in [disable, enable]>
                 mpsk: <value in [disable, enable]>
                 mpsk-concurrent-clients: <value of integer>
                 multicast-enhance: <value in [disable, enable]>
                 multicast-rate: <value in [0, 6000, 12000, ...]>
                 okc: <value in [disable, enable]>
                 owe-groups:
                   - 19
                   - 20
                   - 21
                 owe-transition: <value in [disable, enable]>
                 owe-transition-ssid: <value of string>
                 passphrase: <value of string>
                 pmf: <value in [disable, enable, optional]>
                 pmf-assoc-comeback-timeout: <value of integer>
                 pmf-sa-query-retry-timeout: <value of integer>
                 portal-message-override-group: <value of string>
                 portal-type: <value in [auth, auth+disclaimer, disclaimer, ...]>
                 probe-resp-suppression: <value in [disable, enable]>
                 probe-resp-threshold: <value of string>
                 ptk-rekey: <value in [disable, enable]>
                 ptk-rekey-intv: <value of integer>
                 qos-profile: <value of string>
                 quarantine: <value in [disable, enable]>
                 radio-2g-threshold: <value of string>
                 radio-5g-threshold: <value of string>
                 radio-sensitivity: <value in [disable, enable]>
                 radius-mac-auth: <value in [disable, enable]>
                 radius-mac-auth-server: <value of string>
                 radius-mac-auth-usergroups: <value of string>
                 radius-server: <value of string>
                 rates-11a:
                   - 1
                   - 1-basic
                   - 2
                   - 2-basic
                   - 5.5
                   - 5.5-basic
                   - 6
                   - 6-basic
                   - 9
                   - 9-basic
                   - 12
                   - 12-basic
                   - 18
                   - 18-basic
                   - 24
                   - 24-basic
                   - 36
                   - 36-basic
                   - 48
                   - 48-basic
                   - 54
                   - 54-basic
                   - 11
                   - 11-basic
                 rates-11ac-ss12:
                   - mcs0/1
                   - mcs1/1
                   - mcs2/1
                   - mcs3/1
                   - mcs4/1
                   - mcs5/1
                   - mcs6/1
                   - mcs7/1
                   - mcs8/1
                   - mcs9/1
                   - mcs0/2
                   - mcs1/2
                   - mcs2/2
                   - mcs3/2
                   - mcs4/2
                   - mcs5/2
                   - mcs6/2
                   - mcs7/2
                   - mcs8/2
                   - mcs9/2
                   - mcs10/1
                   - mcs11/1
                   - mcs10/2
                   - mcs11/2
                 rates-11ac-ss34:
                   - mcs0/3
                   - mcs1/3
                   - mcs2/3
                   - mcs3/3
                   - mcs4/3
                   - mcs5/3
                   - mcs6/3
                   - mcs7/3
                   - mcs8/3
                   - mcs9/3
                   - mcs0/4
                   - mcs1/4
                   - mcs2/4
                   - mcs3/4
                   - mcs4/4
                   - mcs5/4
                   - mcs6/4
                   - mcs7/4
                   - mcs8/4
                   - mcs9/4
                   - mcs10/3
                   - mcs11/3
                   - mcs10/4
                   - mcs11/4
                 rates-11bg:
                   - 1
                   - 1-basic
                   - 2
                   - 2-basic
                   - 5.5
                   - 5.5-basic
                   - 6
                   - 6-basic
                   - 9
                   - 9-basic
                   - 12
                   - 12-basic
                   - 18
                   - 18-basic
                   - 24
                   - 24-basic
                   - 36
                   - 36-basic
                   - 48
                   - 48-basic
                   - 54
                   - 54-basic
                   - 11
                   - 11-basic
                 rates-11n-ss12:
                   - mcs0/1
                   - mcs1/1
                   - mcs2/1
                   - mcs3/1
                   - mcs4/1
                   - mcs5/1
                   - mcs6/1
                   - mcs7/1
                   - mcs8/2
                   - mcs9/2
                   - mcs10/2
                   - mcs11/2
                   - mcs12/2
                   - mcs13/2
                   - mcs14/2
                   - mcs15/2
                 rates-11n-ss34:
                   - mcs16/3
                   - mcs17/3
                   - mcs18/3
                   - mcs19/3
                   - mcs20/3
                   - mcs21/3
                   - mcs22/3
                   - mcs23/3
                   - mcs24/4
                   - mcs25/4
                   - mcs26/4
                   - mcs27/4
                   - mcs28/4
                   - mcs29/4
                   - mcs30/4
                   - mcs31/4
                 sae-groups:
                   - 1
                   - 2
                   - 5
                   - 14
                   - 15
                   - 16
                   - 17
                   - 18
                   - 19
                   - 20
                   - 21
                   - 27
                   - 28
                   - 29
                   - 30
                   - 31
                 sae-password: <value of string>
                 schedule: <value of string>
                 security: <value in [None, WEP64, wep64, ...]>
                 security-exempt-list: <value of string>
                 security-obsolete-option: <value in [disable, enable]>
                 security-redirect-url: <value of string>
                 selected-usergroups: <value of string>
                 split-tunneling: <value in [disable, enable]>
                 ssid: <value of string>
                 tkip-counter-measure: <value in [disable, enable]>
                 usergroup: <value of string>
                 utm-profile: <value of string>
                 vdom: <value of string>
                 vlan-auto: <value in [disable, enable]>
                 vlan-pooling: <value in [wtp-group, round-robin, hash, ...]>
                 vlanid: <value of integer>
                 voice-enterprise: <value in [disable, enable]>
                 mu-mimo: <value in [disable, enable]>
                 _intf_device-access-list: <value of string>
                 external-web-format: <value in [auto-detect, no-query-string, partial-query-string]>
                 high-efficiency: <value in [disable, enable]>
                 primary-wag-profile: <value of string>
                 secondary-wag-profile: <value of string>
                 target-wake-time: <value in [disable, enable]>
                 tunnel-echo-interval: <value of integer>
                 tunnel-fallback-interval: <value of integer>
                 access-control-list: <value of string>
                 captive-portal-auth-timeout: <value of integer>
                 ipv6-rules:
                   - drop-icmp6ra
                   - drop-icmp6rs
                   - drop-llmnr6
                   - drop-icmp6mld2
                   - drop-dhcp6s
                   - drop-dhcp6c
                   - ndp-proxy
                   - drop-ns-dad
                   - drop-ns-nondad
                 sticky-client-remove: <value in [disable, enable]>
                 sticky-client-threshold-2g: <value of string>
                 sticky-client-threshold-5g: <value of string>
                 bss-color-partial: <value in [disable, enable]>
                 dhcp-option43-insertion: <value in [disable, enable]>
                 mpsk-profile: <value of string>
                 igmp-snooping: <value in [disable, enable]>
                 port-macauth: <value in [disable, radius, address-group]>
                 port-macauth-reauth-timeout: <value of integer>
                 port-macauth-timeout: <value of integer>
                 additional-akms:
                   - akm6
                 bstm-disassociation-imminent: <value in [disable, enable]>
                 bstm-load-balancing-disassoc-timer: <value of integer>
                 bstm-rssi-disassoc-timer: <value of integer>
                 dhcp-address-enforcement: <value in [disable, enable]>
                 gas-comeback-delay: <value of integer>
                 gas-fragmentation-limit: <value of integer>
                 mac-called-station-delimiter: <value in [hyphen, single-hyphen, colon, ...]>
                 mac-calling-station-delimiter: <value in [hyphen, single-hyphen, colon, ...]>
                 mac-case: <value in [uppercase, lowercase]>
                 mac-password-delimiter: <value in [hyphen, single-hyphen, colon, ...]>
                 mac-username-delimiter: <value in [hyphen, single-hyphen, colon, ...]>
                 mbo: <value in [disable, enable]>
                 mbo-cell-data-conn-pref: <value in [excluded, prefer-not, prefer-use]>
                 nac: <value in [disable, enable]>
                 nac-profile: <value of string>
                 neighbor-report-dual-band: <value in [disable, enable]>
           eap-reauth: <value in [disable, enable]>
           eap-reauth-intv: <value of integer>
           eapol-key-retries: <value in [disable, enable]>
           encrypt: <value in [TKIP, AES, TKIP-AES]>
           external-fast-roaming: <value in [disable, enable]>
           external-logout: <value of string>
           external-web: <value of string>
           fast-bss-transition: <value in [disable, enable]>
           fast-roaming: <value in [disable, enable]>
           ft-mobility-domain: <value of integer>
           ft-over-ds: <value in [disable, enable]>
           ft-r0-key-lifetime: <value of integer>
           gtk-rekey: <value in [disable, enable]>
           gtk-rekey-intv: <value of integer>
           hotspot20-profile: <value of string>
           intra-vap-privacy: <value in [disable, enable]>
           ip: <value of string>
           key: <value of string>
           keyindex: <value of integer>
           ldpc: <value in [disable, tx, rx, ...]>
           local-authentication: <value in [disable, enable]>
           local-bridging: <value in [disable, enable]>
           local-lan: <value in [deny, allow]>
           local-standalone: <value in [disable, enable]>
           local-standalone-nat: <value in [disable, enable]>
           mac-auth-bypass: <value in [disable, enable]>
           mac-filter: <value in [disable, enable]>
           mac-filter-list:
             -
                 id: <value of integer>
                 mac: <value of string>
                 mac-filter-policy: <value in [deny, allow]>
           mac-filter-policy-other: <value in [deny, allow]>
           max-clients: <value of integer>
           max-clients-ap: <value of integer>
           me-disable-thresh: <value of integer>
           mesh-backhaul: <value in [disable, enable]>
           mpsk: <value in [disable, enable]>
           mpsk-concurrent-clients: <value of integer>
           mpsk-key:
             -
                 comment: <value of string>
                 concurrent-clients: <value of string>
                 key-name: <value of string>
                 passphrase: <value of string>
                 mpsk-schedules: <value of string>
           multicast-enhance: <value in [disable, enable]>
           multicast-rate: <value in [0, 6000, 12000, ...]>
           name: <value of string>
           okc: <value in [disable, enable]>
           passphrase: <value of string>
           pmf: <value in [disable, enable, optional]>
           pmf-assoc-comeback-timeout: <value of integer>
           pmf-sa-query-retry-timeout: <value of integer>
           portal-message-override-group: <value of string>
           portal-type: <value in [auth, auth+disclaimer, disclaimer, ...]>
           probe-resp-suppression: <value in [disable, enable]>
           probe-resp-threshold: <value of string>
           ptk-rekey: <value in [disable, enable]>
           ptk-rekey-intv: <value of integer>
           qos-profile: <value of string>
           quarantine: <value in [disable, enable]>
           radio-2g-threshold: <value of string>
           radio-5g-threshold: <value of string>
           radio-sensitivity: <value in [disable, enable]>
           radius-mac-auth: <value in [disable, enable]>
           radius-mac-auth-server: <value of string>
           radius-mac-auth-usergroups: <value of string>
           radius-server: <value of string>
           rates-11a:
             - 1
             - 1-basic
             - 2
             - 2-basic
             - 5.5
             - 5.5-basic
             - 6
             - 6-basic
             - 9
             - 9-basic
             - 12
             - 12-basic
             - 18
             - 18-basic
             - 24
             - 24-basic
             - 36
             - 36-basic
             - 48
             - 48-basic
             - 54
             - 54-basic
             - 11
             - 11-basic
           rates-11ac-ss12:
             - mcs0/1
             - mcs1/1
             - mcs2/1
             - mcs3/1
             - mcs4/1
             - mcs5/1
             - mcs6/1
             - mcs7/1
             - mcs8/1
             - mcs9/1
             - mcs0/2
             - mcs1/2
             - mcs2/2
             - mcs3/2
             - mcs4/2
             - mcs5/2
             - mcs6/2
             - mcs7/2
             - mcs8/2
             - mcs9/2
             - mcs10/1
             - mcs11/1
             - mcs10/2
             - mcs11/2
           rates-11ac-ss34:
             - mcs0/3
             - mcs1/3
             - mcs2/3
             - mcs3/3
             - mcs4/3
             - mcs5/3
             - mcs6/3
             - mcs7/3
             - mcs8/3
             - mcs9/3
             - mcs0/4
             - mcs1/4
             - mcs2/4
             - mcs3/4
             - mcs4/4
             - mcs5/4
             - mcs6/4
             - mcs7/4
             - mcs8/4
             - mcs9/4
             - mcs10/3
             - mcs11/3
             - mcs10/4
             - mcs11/4
           rates-11bg:
             - 1
             - 1-basic
             - 2
             - 2-basic
             - 5.5
             - 5.5-basic
             - 6
             - 6-basic
             - 9
             - 9-basic
             - 12
             - 12-basic
             - 18
             - 18-basic
             - 24
             - 24-basic
             - 36
             - 36-basic
             - 48
             - 48-basic
             - 54
             - 54-basic
             - 11
             - 11-basic
           rates-11n-ss12:
             - mcs0/1
             - mcs1/1
             - mcs2/1
             - mcs3/1
             - mcs4/1
             - mcs5/1
             - mcs6/1
             - mcs7/1
             - mcs8/2
             - mcs9/2
             - mcs10/2
             - mcs11/2
             - mcs12/2
             - mcs13/2
             - mcs14/2
             - mcs15/2
           rates-11n-ss34:
             - mcs16/3
             - mcs17/3
             - mcs18/3
             - mcs19/3
             - mcs20/3
             - mcs21/3
             - mcs22/3
             - mcs23/3
             - mcs24/4
             - mcs25/4
             - mcs26/4
             - mcs27/4
             - mcs28/4
             - mcs29/4
             - mcs30/4
             - mcs31/4
           schedule: <value of string>
           security: <value in [None, WEP64, wep64, ...]>
           security-exempt-list: <value of string>
           security-obsolete-option: <value in [disable, enable]>
           security-redirect-url: <value of string>
           selected-usergroups: <value of string>
           split-tunneling: <value in [disable, enable]>
           ssid: <value of string>
           tkip-counter-measure: <value in [disable, enable]>
           usergroup: <value of string>
           utm-profile: <value of string>
           vdom: <value of string>
           vlan-auto: <value in [disable, enable]>
           vlan-pool:
             -
                 _wtp-group: <value of string>
                 id: <value of integer>
                 wtp-group: <value of string>
           vlan-pooling: <value in [wtp-group, round-robin, hash, ...]>
           vlanid: <value of integer>
           voice-enterprise: <value in [disable, enable]>
           address-group: <value of string>
           atf-weight: <value of integer>
           mu-mimo: <value in [disable, enable]>
           owe-groups:
             - 19
             - 20
             - 21
           owe-transition: <value in [disable, enable]>
           owe-transition-ssid: <value of string>
           sae-groups:
             - 1
             - 2
             - 5
             - 14
             - 15
             - 16
             - 17
             - 18
             - 19
             - 20
             - 21
             - 27
             - 28
             - 29
             - 30
             - 31
           sae-password: <value of string>
           _intf_device-access-list: <value of string>
           external-web-format: <value in [auto-detect, no-query-string, partial-query-string]>
           high-efficiency: <value in [disable, enable]>
           primary-wag-profile: <value of string>
           secondary-wag-profile: <value of string>
           target-wake-time: <value in [disable, enable]>
           tunnel-echo-interval: <value of integer>
           tunnel-fallback-interval: <value of integer>
           access-control-list: <value of string>
           captive-portal-auth-timeout: <value of integer>
           ipv6-rules:
             - drop-icmp6ra
             - drop-icmp6rs
             - drop-llmnr6
             - drop-icmp6mld2
             - drop-dhcp6s
             - drop-dhcp6c
             - ndp-proxy
             - drop-ns-dad
             - drop-ns-nondad
           sticky-client-remove: <value in [disable, enable]>
           sticky-client-threshold-2g: <value of string>
           sticky-client-threshold-5g: <value of string>
           bss-color-partial: <value in [disable, enable]>
           dhcp-option43-insertion: <value in [disable, enable]>
           mpsk-profile: <value of string>
           igmp-snooping: <value in [disable, enable]>
           port-macauth: <value in [disable, radius, address-group]>
           port-macauth-reauth-timeout: <value of integer>
           port-macauth-timeout: <value of integer>
           portal-message-overrides:
              auth-disclaimer-page: <value of string>
              auth-login-failed-page: <value of string>
              auth-login-page: <value of string>
              auth-reject-page: <value of string>
           additional-akms:
             - akm6
           bstm-disassociation-imminent: <value in [disable, enable]>
           bstm-load-balancing-disassoc-timer: <value of integer>
           bstm-rssi-disassoc-timer: <value of integer>
           dhcp-address-enforcement: <value in [disable, enable]>
           gas-comeback-delay: <value of integer>
           gas-fragmentation-limit: <value of integer>
           mac-called-station-delimiter: <value in [hyphen, single-hyphen, colon, ...]>
           mac-calling-station-delimiter: <value in [hyphen, single-hyphen, colon, ...]>
           mac-case: <value in [uppercase, lowercase]>
           mac-password-delimiter: <value in [hyphen, single-hyphen, colon, ...]>
           mac-username-delimiter: <value in [hyphen, single-hyphen, colon, ...]>
           mbo: <value in [disable, enable]>
           mbo-cell-data-conn-pref: <value in [excluded, prefer-not, prefer-use]>
           nac: <value in [disable, enable]>
           nac-profile: <value of string>
           neighbor-report-dual-band: <value in [disable, enable]>

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

request_url

string

The full url requested

Returned: always

Sample: “/sys/login/user”

response_code

integer

The status of api request

Returned: always

Sample: 0

response_message

string

The descriptive message of the api response

Returned: always

Sample: “OK.”

Authors

  • Link Zheng (@chillancezen)

  • Jie Xue (@JieX19)

  • Frank Shen (@fshen01)

  • Hongbin Lu (@fgtdev-hblu)