fortinet.fortios.fortios_wireless_controller_vap module – Configure Virtual Access Points (VAPs) in Fortinet’s FortiOS and FortiGate.
Note
This module is part of the fortinet.fortios collection (version 2.1.6).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install fortinet.fortios.
To use it in a playbook, specify: fortinet.fortios.fortios_wireless_controller_vap.
New in version 2.0.0: of fortinet.fortios
Synopsis
This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify wireless_controller feature and vap category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
Requirements
The below requirements are needed on the host that executes this module.
ansible>=2.9.0
Parameters
Parameter |
Comments |
|---|---|
Token-based authentication. Generated from GUI of Fortigate. |
|
Enable/Disable logging for task. Choices:
|
|
Member attribute path to operate on. Delimited by a slash character if there are more than one attribute. Parameter marked with member_path is legitimate for doing member operation. |
|
Add or delete a member under specified attribute path. When member_state is specified, the state option is ignored. Choices:
|
|
Indicates whether to create or remove the object. Choices:
|
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. Default: “root” |
|
Configure Virtual Access Points (VAPs). |
|
Profile name for access-control-list. Source wireless-controller.access-control-list.name. |
|
WiFi RADIUS accounting interim interval (60 - 86400 sec). |
|
Additional AKMs. Choices:
|
|
Address group ID. Source wireless-controller.addrgrp.id. |
|
Alias. |
|
AntiVirus profile name. Source antivirus.profile.name. |
|
Application control list name. Source application.list.name. |
|
Airtime weight in percentage . |
|
Authentication protocol. Choices:
|
|
HTTPS server certificate. Source vpn.certificate.local.name. |
|
Address of captive portal. |
|
Fortinet beacon advertising IE data . Choices:
|
|
Enable/disable broadcasting the SSID . Choices:
|
|
Optional suppression of broadcast messages. For example, you can keep DHCP messages, ARP broadcasts, and so on off of the wireless network. Choices:
|
|
Enable/disable 802.11ax partial BSS color . Choices:
|
|
Enable/disable forcing of disassociation after the BSTM request timer has been reached . Choices:
|
|
Time interval for client to voluntarily leave AP before forcing a disassociation due to AP load-balancing (0 to 30). |
|
Time interval for client to voluntarily leave AP before forcing a disassociation due to low RSSI (0 to 2000). |
|
Local-bridging captive portal ac-name. |
|
Hard timeout - AP will always clear the session after timeout regardless of traffic (0 - 864000 sec). |
|
Secret key to access the macauth RADIUS server. |
|
Captive portal external RADIUS server domain name or IP address. |
|
Secret key to access the RADIUS server. |
|
Captive portal RADIUS server domain name or IP address. |
|
Session timeout interval (0 - 864000 sec). |
|
Enable/disable DHCP address enforcement . Choices:
|
|
DHCP lease time in seconds for NAT IP address. |
|
Enable/disable insertion of DHCP option 43 . Choices:
|
|
Enable/disable DHCP option 82 circuit-id insert . Choices:
|
|
Enable/disable DHCP option 82 insert . Choices:
|
|
Enable/disable DHCP option 82 remote-id insert . Choices:
|
|
Enable/disable dynamic VLAN assignment. Choices:
|
|
Enable/disable EAP re-authentication for WPA-Enterprise security. Choices:
|
|
EAP re-authentication interval (1800 - 864000 sec). |
|
Enable/disable retransmission of EAPOL-Key frames (message 3/4 and group message 1/2) . Choices:
|
|
Encryption protocol to use (only available when security is set to a WPA type). Choices:
|
|
Enable/disable fast roaming or pre-authentication with external APs not managed by the FortiGate . Choices:
|
|
URL of external authentication logout server. |
|
URL of external authentication web server. |
|
URL query parameter detection . Choices:
|
|
Enable/disable 802.11r Fast BSS Transition (FT) . Choices:
|
|
Enable/disable fast-roaming, or pre-authentication, where supported by clients . Choices:
|
|
Mobility domain identifier in FT (1 - 65535). |
|
Enable/disable FT over the Distribution System (DS). Choices:
|
|
Lifetime of the PMK-R0 key in FT, 1-65535 minutes. |
|
GAS comeback delay (0 or 100 - 10000 milliseconds). |
|
GAS fragmentation limit (512 - 4096). |
|
Enable/disable GTK rekey for WPA security. Choices:
|
|
GTK rekey interval (1800 - 864000 sec). |
|
Enable/disable 802.11ax high efficiency . Choices:
|
|
Hotspot 2.0 profile name. Source wireless-controller.hotspot20.hs-profile.name. |
|
Enable/disable IGMP snooping. Choices:
|
|
Enable/disable blocking communication between clients on the same SSID (called intra-SSID privacy) . Choices:
|
|
IP address and subnet mask for the local standalone NAT subnet. |
|
IPS sensor name. Source ips.sensor.name. |
|
Optional rules of IPv6 packets. For example, you can keep RA, RS and so on off of the wireless network. Choices:
|
|
WEP Key. |
|
WEP key index (1 - 4). |
|
VAP low-density parity-check (LDPC) coding configuration. Choices:
|
|
Enable/disable AP local authentication. Choices:
|
|
Enable/disable bridging of wireless and Ethernet interfaces on the FortiAP . Choices:
|
|
Allow/deny traffic destined for a Class A, B, or C private IP address . Choices:
|
|
Enable/disable AP local standalone . Choices:
|
|
Enable/disable AP local standalone DNS. Choices:
|
|
IPv4 addresses for the local standalone DNS. |
|
Enable/disable AP local standalone NAT mode. Choices:
|
|
Enable/disable MAC authentication bypass. Choices:
|
|
MAC called station delimiter . Choices:
|
|
MAC calling station delimiter . Choices:
|
|
MAC case . Choices:
|
|
Enable/disable MAC filtering to block wireless clients by mac address. Choices:
|
|
Create a list of MAC addresses for MAC address filtering. |
|
ID. |
|
MAC address. |
|
Deny or allow the client with this MAC address. Choices:
|
|
Allow or block clients with MAC addresses that are not in the filter list. Choices:
|
|
MAC authentication password delimiter . Choices:
|
|
MAC authentication username delimiter . Choices:
|
|
Maximum number of clients that can connect simultaneously to the VAP . |
|
Maximum number of clients that can connect simultaneously to the VAP per AP radio . |
|
Enable/disable Multiband Operation . Choices:
|
|
MBO cell data connection preference (0, 1, or 255). Choices:
|
|
Disable multicast enhancement when this many clients are receiving multicast traffic. |
|
Enable/disable using this VAP as a WiFi mesh backhaul . This entry is only available when security is set to a WPA type or open. Choices:
|
|
Enable/disable multiple PSK authentication. Choices:
|
|
Maximum number of concurrent clients that connect using the same passphrase in multiple PSK authentication (0 - 65535). |
|
List of multiple PSK entries. |
|
Comment. |
|
Number of clients that can connect using this pre-shared key. |
|
Pre-shared key name. |
|
Firewall schedule for MPSK passphrase. The passphrase will be effective only when at least one schedule is valid. |
|
Schedule name. Source firewall.schedule.group.name firewall.schedule.recurring.name firewall.schedule.onetime.name. |
|
WPA Pre-shared key. |
|
MPSK profile name. Source wireless-controller.mpsk-profile.name. |
|
Enable/disable Multi-user MIMO . Choices:
|
|
Enable/disable converting multicast to unicast to improve performance . Choices:
|
|
Multicast rate (0, 6000, 12000, or 24000 kbps). Choices:
|
|
Enable/disable network access control. Choices:
|
|
NAC profile name. Source wireless-controller.nac-profile.name. |
|
Virtual AP name. |
|
Enable/disable dual-band neighbor report . Choices:
|
|
Enable/disable Opportunistic Key Caching (OKC) . Choices:
|
|
Enable/disable OSEN as part of key management . Choices:
|
|
OWE-Groups. Choices:
|
|
Enable/disable OWE transition mode support. Choices:
|
|
OWE transition mode peer SSID. |
|
WPA pre-shared key (PSK) to be used to authenticate WiFi users. |
|
Protected Management Frames (PMF) support . Choices:
|
|
Protected Management Frames (PMF) comeback maximum timeout (1-20 sec). |
|
Protected Management Frames (PMF) SA query retry timeout interval (1 - 5 100s of msec). |
|
Enable/disable LAN port MAC authentication . Choices:
|
|
LAN port MAC authentication re-authentication timeout value . |
|
LAN port MAC authentication idle timeout value . |
|
Replacement message group for this VAP (only available when security is set to a captive portal type). Source system.replacemsg-group .name. |
|
Individual message overrides. |
|
Override auth-disclaimer-page message with message from portal-message-overrides group. |
|
Override auth-login-failed-page message with message from portal-message-overrides group. |
|
Override auth-login-page message with message from portal-message-overrides group. |
|
Override auth-reject-page message with message from portal-message-overrides group. |
|
Captive portal functionality. Configure how the captive portal authenticates users and whether it includes a disclaimer. Choices:
|
|
Primary wireless access gateway profile name. Source wireless-controller.wag-profile.name. |
|
Enable/disable probe response suppression (to ignore weak signals) . Choices:
|
|
Minimum signal level/threshold in dBm required for the AP response to probe requests (-95 to -20). |
|
Enable/disable PTK rekey for WPA-Enterprise security. Choices:
|
|
PTK rekey interval (1800 - 864000 sec). |
|
Quality of service profile name. Source wireless-controller.qos-profile.name. |
|
Enable/disable station quarantine . Choices:
|
|
Minimum signal level/threshold in dBm required for the AP response to receive a packet in 2.4G band (-95 to -20). |
|
Minimum signal level/threshold in dBm required for the AP response to receive a packet in 5G band(-95 to -20). |
|
Enable/disable software radio sensitivity (to ignore weak signals) . Choices:
|
|
Enable/disable RADIUS-based MAC authentication of clients . Choices:
|
|
RADIUS-based MAC authentication server. Source user.radius.name. |
|
Selective user groups that are permitted for RADIUS mac authentication. |
|
User group name. |
|
Enable/disable RADIUS-based MAC authentication of clients for MPSK authentication . Choices:
|
|
RADIUS MAC MPSK cache timeout interval (1800 - 864000). |
|
RADIUS server to be used to authenticate WiFi users. Source user.radius.name. |
|
Allowed data rates for 802.11a. Choices:
|
|
Allowed data rates for 802.11ac with 1 or 2 spatial streams. Choices:
|
|
Allowed data rates for 802.11ac with 3 or 4 spatial streams. Choices:
|
|
Allowed data rates for 802.11ax with 1 or 2 spatial streams. Choices:
|
|
Allowed data rates for 802.11ax with 3 or 4 spatial streams. Choices:
|
|
Allowed data rates for 802.11b/g. Choices:
|
|
Allowed data rates for 802.11n with 1 or 2 spatial streams. Choices:
|
|
Allowed data rates for 802.11n with 3 or 4 spatial streams. Choices:
|
|
SAE-Groups. Choices:
|
|
WPA3 SAE password to be used to authenticate WiFi users. |
|
Block or monitor connections to Botnet servers or disable Botnet scanning. Choices:
|
|
Firewall schedules for enabling this VAP on the FortiAP. This VAP will be enabled when at least one of the schedules is valid. Separate multiple schedule names with a space. |
|
Schedule name. Source firewall.schedule.group.name firewall.schedule.recurring.name firewall.schedule.onetime.name. |
|
Secondary wireless access gateway profile name. Source wireless-controller.wag-profile.name. |
|
Security mode for the wireless interface . Choices:
|
|
Optional security exempt list for captive portal authentication. Source user.security-exempt-list.name. |
|
Enable/disable obsolete security options. Choices:
|
|
Optional URL for redirecting users after they pass captive portal authentication. |
|
Selective user groups that are permitted to authenticate. |
|
User group name. Source user.group.name. |
|
Enable/disable split tunneling . Choices:
|
|
IEEE 802.11 service set identifier (SSID) for the wireless interface. Users who wish to use the wireless network must configure their computers to access this SSID name. |
|
Enable/disable sticky client remove to maintain good signal level clients in SSID . Choices:
|
|
Minimum signal level/threshold in dBm required for the 2G client to be serviced by the AP (-95 to -20). |
|
Minimum signal level/threshold in dBm required for the 5G client to be serviced by the AP (-95 to -20). |
|
Enable/disable 802.11ax target wake time . Choices:
|
|
Enable/disable TKIP counter measure. Choices:
|
|
The time interval to send echo to both primary and secondary tunnel peers (1 - 65535 sec). |
|
The time interval for secondary tunnel to fall back to primary tunnel (0 - 65535 sec). |
|
Firewall user group to be used to authenticate WiFi users. |
|
User group name. Source user.group.name. |
|
Enable/disable UTM logging. Choices:
|
|
UTM profile name. Source wireless-controller.utm-profile.name. |
|
Enable to add one or more security profiles (AV, IPS, etc.) to the VAP. Choices:
|
|
Name of the VDOM that the Virtual AP has been added to. Source system.vdom.name. |
|
Enable/disable automatic management of SSID VLAN interface. Choices:
|
|
Table for mapping VLAN name to VLAN ID. |
|
VLAN name. |
|
VLAN ID. |
|
VLAN pool. |
|
ID. |
|
WTP group name. Source wireless-controller.wtp-group.name. |
|
Enable/disable VLAN pooling, to allow grouping of multiple wireless controller VLANs into VLAN pools . When set to wtp-group, VLAN pooling occurs with VLAN assignment by wtp-group. Choices:
|
|
Optional VLAN ID. |
|
Enable/disable 802.11k and 802.11v assisted Voice-Enterprise roaming . Choices:
|
|
WebFilter profile name. Source webfilter.profile.name. |
Examples
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: Configure Virtual Access Points (VAPs).
fortios_wireless_controller_vap:
vdom: "{{ vdom }}"
state: "present"
access_token: "<your_own_value>"
wireless_controller_vap:
access_control_list: "<your_own_value> (source wireless-controller.access-control-list.name)"
acct_interim_interval: "4"
additional_akms: "akm6"
address_group: "<your_own_value> (source wireless-controller.addrgrp.id)"
alias: "<your_own_value>"
antivirus_profile: "<your_own_value> (source antivirus.profile.name)"
application_list: "<your_own_value> (source application.list.name)"
atf_weight: "10"
auth: "psk"
auth_cert: "<your_own_value> (source vpn.certificate.local.name)"
auth_portal_addr: "<your_own_value>"
beacon_advertising: "name"
broadcast_ssid: "enable"
broadcast_suppression: "dhcp-up"
bss_color_partial: "enable"
bstm_disassociation_imminent: "enable"
bstm_load_balancing_disassoc_timer: "19"
bstm_rssi_disassoc_timer: "20"
captive_portal_ac_name: "<your_own_value>"
captive_portal_auth_timeout: "22"
captive_portal_macauth_radius_secret: "<your_own_value>"
captive_portal_macauth_radius_server: "<your_own_value>"
captive_portal_radius_secret: "<your_own_value>"
captive_portal_radius_server: "<your_own_value>"
captive_portal_session_timeout_interval: "27"
dhcp_address_enforcement: "enable"
dhcp_lease_time: "29"
dhcp_option43_insertion: "enable"
dhcp_option82_circuit_id_insertion: "style-1"
dhcp_option82_insertion: "enable"
dhcp_option82_remote_id_insertion: "style-1"
dynamic_vlan: "enable"
eap_reauth: "enable"
eap_reauth_intv: "36"
eapol_key_retries: "disable"
encrypt: "TKIP"
external_fast_roaming: "enable"
external_logout: "<your_own_value>"
external_web: "<your_own_value>"
external_web_format: "auto-detect"
fast_bss_transition: "disable"
fast_roaming: "enable"
ft_mobility_domain: "45"
ft_over_ds: "disable"
ft_r0_key_lifetime: "47"
gas_comeback_delay: "48"
gas_fragmentation_limit: "49"
gtk_rekey: "enable"
gtk_rekey_intv: "51"
high_efficiency: "enable"
hotspot20_profile: "<your_own_value> (source wireless-controller.hotspot20.hs-profile.name)"
igmp_snooping: "enable"
intra_vap_privacy: "enable"
ip: "<your_own_value>"
ips_sensor: "<your_own_value> (source ips.sensor.name)"
ipv6_rules: "drop-icmp6ra"
key: "<your_own_value>"
keyindex: "60"
ldpc: "disable"
local_authentication: "enable"
local_bridging: "enable"
local_lan: "allow"
local_standalone: "enable"
local_standalone_dns: "enable"
local_standalone_dns_ip: "<your_own_value>"
local_standalone_nat: "enable"
mac_auth_bypass: "enable"
mac_called_station_delimiter: "hyphen"
mac_calling_station_delimiter: "hyphen"
mac_case: "uppercase"
mac_filter: "enable"
mac_filter_list:
-
id: "75"
mac: "<your_own_value>"
mac_filter_policy: "allow"
mac_filter_policy_other: "allow"
mac_password_delimiter: "hyphen"
mac_username_delimiter: "hyphen"
max_clients: "81"
max_clients_ap: "82"
mbo: "disable"
mbo_cell_data_conn_pref: "excluded"
me_disable_thresh: "85"
mesh_backhaul: "enable"
mpsk: "enable"
mpsk_concurrent_clients: "88"
mpsk_key:
-
comment: "Comment."
concurrent_clients: "<your_own_value>"
key_name: "<your_own_value>"
mpsk_schedules:
-
name: "default_name_94 (source firewall.schedule.group.name firewall.schedule.recurring.name firewall.schedule.onetime.name)"
passphrase: "<your_own_value>"
mpsk_profile: "<your_own_value> (source wireless-controller.mpsk-profile.name)"
mu_mimo: "enable"
multicast_enhance: "enable"
multicast_rate: "0"
nac: "enable"
nac_profile: "<your_own_value> (source wireless-controller.nac-profile.name)"
name: "default_name_102"
neighbor_report_dual_band: "disable"
okc: "disable"
osen: "enable"
owe_groups: "19"
owe_transition: "disable"
owe_transition_ssid: "<your_own_value>"
passphrase: "<your_own_value>"
pmf: "disable"
pmf_assoc_comeback_timeout: "111"
pmf_sa_query_retry_timeout: "112"
port_macauth: "disable"
port_macauth_reauth_timeout: "114"
port_macauth_timeout: "115"
portal_message_override_group: "<your_own_value> (source system.replacemsg-group.name)"
portal_message_overrides:
auth_disclaimer_page: "<your_own_value>"
auth_login_failed_page: "<your_own_value>"
auth_login_page: "<your_own_value>"
auth_reject_page: "<your_own_value>"
portal_type: "auth"
primary_wag_profile: "<your_own_value> (source wireless-controller.wag-profile.name)"
probe_resp_suppression: "enable"
probe_resp_threshold: "<your_own_value>"
ptk_rekey: "enable"
ptk_rekey_intv: "127"
qos_profile: "<your_own_value> (source wireless-controller.qos-profile.name)"
quarantine: "enable"
radio_2g_threshold: "<your_own_value>"
radio_5g_threshold: "<your_own_value>"
radio_sensitivity: "enable"
radius_mac_auth: "enable"
radius_mac_auth_server: "<your_own_value> (source user.radius.name)"
radius_mac_auth_usergroups:
-
name: "default_name_136"
radius_mac_mpsk_auth: "enable"
radius_mac_mpsk_timeout: "138"
radius_server: "<your_own_value> (source user.radius.name)"
rates_11a: "1"
rates_11ac_ss12: "mcs0/1"
rates_11ac_ss34: "mcs0/3"
rates_11ax_ss12: "mcs0/1"
rates_11ax_ss34: "mcs0/3"
rates_11bg: "1"
rates_11n_ss12: "mcs0/1"
rates_11n_ss34: "mcs16/3"
sae_groups: "19"
sae_password: "<your_own_value>"
scan_botnet_connections: "disable"
schedule:
-
name: "default_name_152 (source firewall.schedule.group.name firewall.schedule.recurring.name firewall.schedule.onetime.name)"
secondary_wag_profile: "<your_own_value> (source wireless-controller.wag-profile.name)"
security: "open"
security_exempt_list: "<your_own_value> (source user.security-exempt-list.name)"
security_obsolete_option: "enable"
security_redirect_url: "<your_own_value>"
selected_usergroups:
-
name: "default_name_159 (source user.group.name)"
split_tunneling: "enable"
ssid: "<your_own_value>"
sticky_client_remove: "enable"
sticky_client_threshold_2g: "<your_own_value>"
sticky_client_threshold_5g: "<your_own_value>"
target_wake_time: "enable"
tkip_counter_measure: "enable"
tunnel_echo_interval: "167"
tunnel_fallback_interval: "168"
usergroup:
-
name: "default_name_170 (source user.group.name)"
utm_log: "enable"
utm_profile: "<your_own_value> (source wireless-controller.utm-profile.name)"
utm_status: "enable"
vdom: "<your_own_value> (source system.vdom.name)"
vlan_auto: "enable"
vlan_name:
-
name: "default_name_177"
vlan_id: "178"
vlan_pool:
-
id: "180"
wtp_group: "<your_own_value> (source wireless-controller.wtp-group.name)"
vlan_pooling: "wtp-group"
vlanid: "183"
voice_enterprise: "disable"
webfilter_profile: "<your_own_value> (source webfilter.profile.name)"
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
Build number of the fortigate image Returned: always Sample: “1547” |
|
Last method used to provision the content into FortiGate Returned: always Sample: “PUT” |
|
Last result given by FortiGate on last operation applied Returned: always Sample: “200” |
|
Master key (id) used in the last call to FortiGate Returned: success Sample: “id” |
|
Name of the table used to fulfill the request Returned: always Sample: “urlfilter” |
|
Path of the table used to fulfill the request Returned: always Sample: “webfilter” |
|
Internal revision number Returned: always Sample: “17.0.2.10658” |
|
Serial number of the unit Returned: always Sample: “FGVMEVYYQT3AB5352” |
|
Indication of the operation’s result Returned: always Sample: “success” |
|
Virtual domain used Returned: always Sample: “root” |
|
Version of the FortiGate Returned: always Sample: “v5.6.3” |
Authors
Link Zheng (@chillancezen)
Jie Xue (@JieX19)
Hongbin Lu (@fgtdev-hblu)
Frank Shen (@frankshen01)
Miguel Angel Munoz (@mamunozgonzalez)
Nicolas Thomas (@thomnico)