fortinet.fortimanager.fmgr_user_radius module – Configure RADIUS server entries.

Note

This module is part of the fortinet.fortimanager collection (version 2.4.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install fortinet.fortimanager.

To use it in a playbook, specify: fortinet.fortimanager.fmgr_user_radius.

New in fortinet.fortimanager 2.0.0

Synopsis

  • This module is able to configure a FortiManager device.

  • Examples include all parameters and values which need to be adjusted to data sources before usage.

Parameters

Parameter

Comments

access_token

string

The token to access FortiManager without using username and password.

adom

string / required

The parameter (adom) in requested url.

bypass_validation

boolean

Only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters.

Choices:

  • false ← (default)

  • true

enable_log

boolean

Enable/Disable logging for task.

Choices:

  • false ← (default)

  • true

forticloud_access_token

string

Authenticate Ansible client with forticloud API access token.

proposed_method

string

The overridden method for the underlying Json RPC request.

Choices:

  • "update"

  • "set"

  • "add"

rc_failed

list / elements=integer

The rc codes list with which the conditions to fail will be overriden.

rc_succeeded

list / elements=integer

The rc codes list with which the conditions to succeed will be overriden.

state

string / required

The directive to create, update or delete an object.

Choices:

  • "present"

  • "absent"

user_radius

dictionary

The top level parameters set.

account-key-cert-field

string

Deprecated, please rename it to account_key_cert_field. Define subject identity field in certificate for user access right…

Choices:

  • "othername"

  • "rfc822name"

  • "dnsname"

account-key-processing

string

Deprecated, please rename it to account_key_processing. Account key processing operation.

Choices:

  • "same"

  • "strip"

accounting-server

list / elements=dictionary

Deprecated, please rename it to accounting_server. Accounting-Server.

id

integer

ID

interface

string

Specify outgoing interface to reach server.

interface-select-method

string

Deprecated, please rename it to interface_select_method. Specify how to select outgoing interface to reach server.

Choices:

  • "auto"

  • "sdwan"

  • "specify"

port

integer

RADIUS accounting port number.

secret

any

(list) Secret key.

server

string

No description

source-ip

string

Deprecated, please rename it to source_ip. Source IP address for communications to the RADIUS server.

status

string

Status.

Choices:

  • "disable"

  • "enable"

acct-all-servers

string

Deprecated, please rename it to acct_all_servers. Enable/disable sending of accounting messages to all configured servers

Choices:

  • "disable"

  • "enable"

acct-interim-interval

integer

Deprecated, please rename it to acct_interim_interval. Time in seconds between each accounting interim update message.

all-usergroup

string

Deprecated, please rename it to all_usergroup. Enable/disable automatically including this RADIUS server in all user groups.

Choices:

  • "disable"

  • "enable"

auth-type

string

Deprecated, please rename it to auth_type. Authentication methods/protocols permitted for this RADIUS server.

Choices:

  • "pap"

  • "chap"

  • "ms_chap"

  • "ms_chap_v2"

  • "auto"

ca-cert

string

Deprecated, please rename it to ca_cert. CA of server to trust under TLS.

call-station-id-type

string

Deprecated, please rename it to call_station_id_type. Calling & Called station identifier type configuration

Choices:

  • "legacy"

  • "IP"

  • "MAC"

class

any

(list) Class attribute name

client-cert

string

Deprecated, please rename it to client_cert. Client certificate to use under TLS.

delimiter

string

Configure delimiter to be used for separating profile group names in the SSO attribute

Choices:

  • "plus"

  • "comma"

dynamic_mapping

list / elements=dictionary

Dynamic_Mapping.

_scope

list / elements=dictionary

_Scope.

name

string

Name.

vdom

string

Vdom.

account-key-cert-field

string

Deprecated, please rename it to account_key_cert_field. Define subject identity field in certificate for user acce…

Choices:

  • "othername"

  • "rfc822name"

  • "dnsname"

account-key-processing

string

Deprecated, please rename it to account_key_processing. Account key processing operation.

Choices:

  • "same"

  • "strip"

accounting-server

list / elements=dictionary

Deprecated, please rename it to accounting_server. Accounting-Server.

id

integer

ID

interface

string

Specify outgoing interface to reach server.

interface-select-method

string

Deprecated, please rename it to interface_select_method. Specify how to select outgoing interface to reach…

Choices:

  • "auto"

  • "sdwan"

  • "specify"

port

integer

RADIUS accounting port number.

secret

any

(list) Secret key.

server

string

No description

source-ip

string

Deprecated, please rename it to source_ip. Source IP address for communications to the RADIUS server.

status

string

Status.

Choices:

  • "disable"

  • "enable"

acct-all-servers

string

Deprecated, please rename it to acct_all_servers. Enable/disable sending of accounting messages to all configured …

Choices:

  • "disable"

  • "enable"

acct-interim-interval

integer

Deprecated, please rename it to acct_interim_interval. Time in seconds between each accounting interim update message.

all-usergroup

string

Deprecated, please rename it to all_usergroup. Enable/disable automatically including this RADIUS server in all us…

Choices:

  • "disable"

  • "enable"

auth-type

string

Deprecated, please rename it to auth_type. Authentication methods/protocols permitted for this RADIUS server.

Choices:

  • "pap"

  • "chap"

  • "ms_chap"

  • "ms_chap_v2"

  • "auto"

ca-cert

string

Deprecated, please rename it to ca_cert. CA of server to trust under TLS.

call-station-id-type

string

Deprecated, please rename it to call_station_id_type. Calling & Called station identifier type configuration

Choices:

  • "legacy"

  • "IP"

  • "MAC"

class

any

(list) Class attribute name

client-cert

string

Deprecated, please rename it to client_cert. Client certificate to use under TLS.

delimiter

string

Configure delimiter to be used for separating profile group names in the SSO attribute

Choices:

  • "plus"

  • "comma"

dp-carrier-endpoint-attribute

string

Deprecated, please rename it to dp_carrier_endpoint_attribute. Dp-Carrier-Endpoint-Attribute.

Choices:

  • "User-Name"

  • "User-Password"

  • "CHAP-Password"

  • "NAS-IP-Address"

  • "NAS-Port"

  • "Service-Type"

  • "Framed-Protocol"

  • "Framed-IP-Address"

  • "Framed-IP-Netmask"

  • "Framed-Routing"

  • "Filter-Id"

  • "Framed-MTU"

  • "Framed-Compression"

  • "Login-IP-Host"

  • "Login-Service"

  • "Login-TCP-Port"

  • "Reply-Message"

  • "Callback-Number"

  • "Callback-Id"

  • "Framed-Route"

  • "Framed-IPX-Network"

  • "State"

  • "Class"

  • "Vendor-Specific"

  • "Session-Timeout"

  • "Idle-Timeout"

  • "Termination-Action"

  • "Called-Station-Id"

  • "Calling-Station-Id"

  • "NAS-Identifier"

  • "Proxy-State"

  • "Login-LAT-Service"

  • "Login-LAT-Node"

  • "Login-LAT-Group"

  • "Framed-AppleTalk-Link"

  • "Framed-AppleTalk-Network"

  • "Framed-AppleTalk-Zone"

  • "Acct-Status-Type"

  • "Acct-Delay-Time"

  • "Acct-Input-Octets"

  • "Acct-Output-Octets"

  • "Acct-Session-Id"

  • "Acct-Authentic"

  • "Acct-Session-Time"

  • "Acct-Input-Packets"

  • "Acct-Output-Packets"

  • "Acct-Terminate-Cause"

  • "Acct-Multi-Session-Id"

  • "Acct-Link-Count"

  • "CHAP-Challenge"

  • "NAS-Port-Type"

  • "Port-Limit"

  • "Login-LAT-Port"

dp-carrier-endpoint-block-attribute

string

Deprecated, please rename it to dp_carrier_endpoint_block_attribute. Dp-Carrier-Endpoint-Block-Attribute.

Choices:

  • "User-Name"

  • "User-Password"

  • "CHAP-Password"

  • "NAS-IP-Address"

  • "NAS-Port"

  • "Service-Type"

  • "Framed-Protocol"

  • "Framed-IP-Address"

  • "Framed-IP-Netmask"

  • "Framed-Routing"

  • "Filter-Id"

  • "Framed-MTU"

  • "Framed-Compression"

  • "Login-IP-Host"

  • "Login-Service"

  • "Login-TCP-Port"

  • "Reply-Message"

  • "Callback-Number"

  • "Callback-Id"

  • "Framed-Route"

  • "Framed-IPX-Network"

  • "State"

  • "Class"

  • "Vendor-Specific"

  • "Session-Timeout"

  • "Idle-Timeout"

  • "Termination-Action"

  • "Called-Station-Id"

  • "Calling-Station-Id"

  • "NAS-Identifier"

  • "Proxy-State"

  • "Login-LAT-Service"

  • "Login-LAT-Node"

  • "Login-LAT-Group"

  • "Framed-AppleTalk-Link"

  • "Framed-AppleTalk-Network"

  • "Framed-AppleTalk-Zone"

  • "Acct-Status-Type"

  • "Acct-Delay-Time"

  • "Acct-Input-Octets"

  • "Acct-Output-Octets"

  • "Acct-Session-Id"

  • "Acct-Authentic"

  • "Acct-Session-Time"

  • "Acct-Input-Packets"

  • "Acct-Output-Packets"

  • "Acct-Terminate-Cause"

  • "Acct-Multi-Session-Id"

  • "Acct-Link-Count"

  • "CHAP-Challenge"

  • "NAS-Port-Type"

  • "Port-Limit"

  • "Login-LAT-Port"

dp-context-timeout

integer

Deprecated, please rename it to dp_context_timeout. Dp-Context-Timeout.

dp-flush-ip-session

string

Deprecated, please rename it to dp_flush_ip_session. Dp-Flush-Ip-Session.

Choices:

  • "disable"

  • "enable"

dp-hold-time

integer

Deprecated, please rename it to dp_hold_time. Dp-Hold-Time.

dp-http-header

string

Deprecated, please rename it to dp_http_header. Dp-Http-Header.

dp-http-header-fallback

string

Deprecated, please rename it to dp_http_header_fallback. Dp-Http-Header-Fallback.

Choices:

  • "ip-header-address"

  • "default-profile"

dp-http-header-status

string

Deprecated, please rename it to dp_http_header_status. Dp-Http-Header-Status.

Choices:

  • "disable"

  • "enable"

dp-http-header-suppress

string

Deprecated, please rename it to dp_http_header_suppress. Dp-Http-Header-Suppress.

Choices:

  • "disable"

  • "enable"

dp-log-dyn_flags

list / elements=string

Deprecated, please rename it to dp_log_dyn_flags. Dp-Log-Dyn_Flags.

Choices:

  • "none"

  • "protocol-error"

  • "profile-missing"

  • "context-missing"

  • "accounting-stop-missed"

  • "accounting-event"

  • "radiusd-other"

  • "endpoint-block"

dp-log-period

integer

Deprecated, please rename it to dp_log_period. Dp-Log-Period.

dp-mem-percent

integer

Deprecated, please rename it to dp_mem_percent. Dp-Mem-Percent.

dp-profile-attribute

string

Deprecated, please rename it to dp_profile_attribute. Dp-Profile-Attribute.

Choices:

  • "User-Name"

  • "User-Password"

  • "CHAP-Password"

  • "NAS-IP-Address"

  • "NAS-Port"

  • "Service-Type"

  • "Framed-Protocol"

  • "Framed-IP-Address"

  • "Framed-IP-Netmask"

  • "Framed-Routing"

  • "Filter-Id"

  • "Framed-MTU"

  • "Framed-Compression"

  • "Login-IP-Host"

  • "Login-Service"

  • "Login-TCP-Port"

  • "Reply-Message"

  • "Callback-Number"

  • "Callback-Id"

  • "Framed-Route"

  • "Framed-IPX-Network"

  • "State"

  • "Class"

  • "Vendor-Specific"

  • "Session-Timeout"

  • "Idle-Timeout"

  • "Termination-Action"

  • "Called-Station-Id"

  • "Calling-Station-Id"

  • "NAS-Identifier"

  • "Proxy-State"

  • "Login-LAT-Service"

  • "Login-LAT-Node"

  • "Login-LAT-Group"

  • "Framed-AppleTalk-Link"

  • "Framed-AppleTalk-Network"

  • "Framed-AppleTalk-Zone"

  • "Acct-Status-Type"

  • "Acct-Delay-Time"

  • "Acct-Input-Octets"

  • "Acct-Output-Octets"

  • "Acct-Session-Id"

  • "Acct-Authentic"

  • "Acct-Session-Time"

  • "Acct-Input-Packets"

  • "Acct-Output-Packets"

  • "Acct-Terminate-Cause"

  • "Acct-Multi-Session-Id"

  • "Acct-Link-Count"

  • "CHAP-Challenge"

  • "NAS-Port-Type"

  • "Port-Limit"

  • "Login-LAT-Port"

dp-profile-attribute-key

string

Deprecated, please rename it to dp_profile_attribute_key. Dp-Profile-Attribute-Key.

dp-radius-response

string

Deprecated, please rename it to dp_radius_response. Dp-Radius-Response.

Choices:

  • "disable"

  • "enable"

dp-radius-server-port

integer

Deprecated, please rename it to dp_radius_server_port. Dp-Radius-Server-Port.

dp-secret

any

(list) Deprecated, please rename it to dp_secret. Dp-Secret.

dp-validate-request-secret

string

Deprecated, please rename it to dp_validate_request_secret. Dp-Validate-Request-Secret.

Choices:

  • "disable"

  • "enable"

dynamic-profile

string

Deprecated, please rename it to dynamic_profile. Dynamic-Profile.

Choices:

  • "disable"

  • "enable"

endpoint-translation

string

Deprecated, please rename it to endpoint_translation. Endpoint-Translation.

Choices:

  • "disable"

  • "enable"

ep-carrier-endpoint-convert-hex

string

Deprecated, please rename it to ep_carrier_endpoint_convert_hex. Ep-Carrier-Endpoint-Convert-Hex.

Choices:

  • "disable"

  • "enable"

ep-carrier-endpoint-header

string

Deprecated, please rename it to ep_carrier_endpoint_header. Ep-Carrier-Endpoint-Header.

ep-carrier-endpoint-header-suppress

string

Deprecated, please rename it to ep_carrier_endpoint_header_suppress. Ep-Carrier-Endpoint-Header-Suppress.

Choices:

  • "disable"

  • "enable"

ep-carrier-endpoint-prefix

string

Deprecated, please rename it to ep_carrier_endpoint_prefix. Ep-Carrier-Endpoint-Prefix.

Choices:

  • "disable"

  • "enable"

ep-carrier-endpoint-prefix-range-max

integer

Deprecated, please rename it to ep_carrier_endpoint_prefix_range_max. Ep-Carrier-Endpoint-Prefix-Range-Max.

ep-carrier-endpoint-prefix-range-min

integer

Deprecated, please rename it to ep_carrier_endpoint_prefix_range_min. Ep-Carrier-Endpoint-Prefix-Range-Min.

ep-carrier-endpoint-prefix-string

string

Deprecated, please rename it to ep_carrier_endpoint_prefix_string. Ep-Carrier-Endpoint-Prefix-String.

ep-carrier-endpoint-source

string

Deprecated, please rename it to ep_carrier_endpoint_source. Ep-Carrier-Endpoint-Source.

Choices:

  • "http-header"

  • "cookie"

ep-ip-header

string

Deprecated, please rename it to ep_ip_header. Ep-Ip-Header.

ep-ip-header-suppress

string

Deprecated, please rename it to ep_ip_header_suppress. Ep-Ip-Header-Suppress.

Choices:

  • "disable"

  • "enable"

ep-missing-header-fallback

string

Deprecated, please rename it to ep_missing_header_fallback. Ep-Missing-Header-Fallback.

Choices:

  • "session-ip"

  • "policy-profile"

ep-profile-query-type

string

Deprecated, please rename it to ep_profile_query_type. Ep-Profile-Query-Type.

Choices:

  • "session-ip"

  • "extract-ip"

  • "extract-carrier-endpoint"

group-override-attr-type

string

Deprecated, please rename it to group_override_attr_type. Group-Override-Attr-Type.

Choices:

  • "filter-Id"

  • "class"

h3c-compatibility

string

Deprecated, please rename it to h3c_compatibility. Enable/disable compatibility with the H3C, a mechanism that per…

Choices:

  • "disable"

  • "enable"

interface

string

Specify outgoing interface to reach server.

interface-select-method

string

Deprecated, please rename it to interface_select_method. Specify how to select outgoing interface to reach server.

Choices:

  • "auto"

  • "sdwan"

  • "specify"

mac-case

string

Deprecated, please rename it to mac_case. MAC authentication case

Choices:

  • "uppercase"

  • "lowercase"

mac-password-delimiter

string

Deprecated, please rename it to mac_password_delimiter. MAC authentication password delimiter

Choices:

  • "hyphen"

  • "single-hyphen"

  • "colon"

  • "none"

mac-username-delimiter

string

Deprecated, please rename it to mac_username_delimiter. MAC authentication username delimiter

Choices:

  • "hyphen"

  • "single-hyphen"

  • "colon"

  • "none"

nas-id

string

Deprecated, please rename it to nas_id. Custom NAS identifier.

nas-id-type

string

Deprecated, please rename it to nas_id_type. NAS identifier type configuration

Choices:

  • "legacy"

  • "custom"

  • "hostname"

nas-ip

string

Deprecated, please rename it to nas_ip. IP address used to communicate with the RADIUS server and used as NAS-IP-A…

password-encoding

string

Deprecated, please rename it to password_encoding. Password encoding.

Choices:

  • "ISO-8859-1"

  • "auto"

password-renewal

string

Deprecated, please rename it to password_renewal. Enable/disable password renewal.

Choices:

  • "disable"

  • "enable"

radius-coa

string

Deprecated, please rename it to radius_coa. Enable to allow a mechanism to change the attributes of an authenticat…

Choices:

  • "disable"

  • "enable"

radius-port

integer

Deprecated, please rename it to radius_port. RADIUS service port number.

rsso

string

Enable/disable RADIUS based single sign on feature.

Choices:

  • "disable"

  • "enable"

rsso-context-timeout

integer

Deprecated, please rename it to rsso_context_timeout. Time in seconds before the logged out user is removed from t…

rsso-endpoint-attribute

string

Deprecated, please rename it to rsso_endpoint_attribute. RADIUS attributes used to extract the user end point iden…

Choices:

  • "User-Name"

  • "User-Password"

  • "CHAP-Password"

  • "NAS-IP-Address"

  • "NAS-Port"

  • "Service-Type"

  • "Framed-Protocol"

  • "Framed-IP-Address"

  • "Framed-IP-Netmask"

  • "Framed-Routing"

  • "Filter-Id"

  • "Framed-MTU"

  • "Framed-Compression"

  • "Login-IP-Host"

  • "Login-Service"

  • "Login-TCP-Port"

  • "Reply-Message"

  • "Callback-Number"

  • "Callback-Id"

  • "Framed-Route"

  • "Framed-IPX-Network"

  • "State"

  • "Class"

  • "Session-Timeout"

  • "Idle-Timeout"

  • "Termination-Action"

  • "Called-Station-Id"

  • "Calling-Station-Id"

  • "NAS-Identifier"

  • "Proxy-State"

  • "Login-LAT-Service"

  • "Login-LAT-Node"

  • "Login-LAT-Group"

  • "Framed-AppleTalk-Link"

  • "Framed-AppleTalk-Network"

  • "Framed-AppleTalk-Zone"

  • "Acct-Status-Type"

  • "Acct-Delay-Time"

  • "Acct-Input-Octets"

  • "Acct-Output-Octets"

  • "Acct-Session-Id"

  • "Acct-Authentic"

  • "Acct-Session-Time"

  • "Acct-Input-Packets"

  • "Acct-Output-Packets"

  • "Acct-Terminate-Cause"

  • "Acct-Multi-Session-Id"

  • "Acct-Link-Count"

  • "CHAP-Challenge"

  • "NAS-Port-Type"

  • "Port-Limit"

  • "Login-LAT-Port"

rsso-endpoint-block-attribute

string

Deprecated, please rename it to rsso_endpoint_block_attribute. RADIUS attributes used to block a user.

Choices:

  • "User-Name"

  • "User-Password"

  • "CHAP-Password"

  • "NAS-IP-Address"

  • "NAS-Port"

  • "Service-Type"

  • "Framed-Protocol"

  • "Framed-IP-Address"

  • "Framed-IP-Netmask"

  • "Framed-Routing"

  • "Filter-Id"

  • "Framed-MTU"

  • "Framed-Compression"

  • "Login-IP-Host"

  • "Login-Service"

  • "Login-TCP-Port"

  • "Reply-Message"

  • "Callback-Number"

  • "Callback-Id"

  • "Framed-Route"

  • "Framed-IPX-Network"

  • "State"

  • "Class"

  • "Session-Timeout"

  • "Idle-Timeout"

  • "Termination-Action"

  • "Called-Station-Id"

  • "Calling-Station-Id"

  • "NAS-Identifier"

  • "Proxy-State"

  • "Login-LAT-Service"

  • "Login-LAT-Node"

  • "Login-LAT-Group"

  • "Framed-AppleTalk-Link"

  • "Framed-AppleTalk-Network"

  • "Framed-AppleTalk-Zone"

  • "Acct-Status-Type"

  • "Acct-Delay-Time"

  • "Acct-Input-Octets"

  • "Acct-Output-Octets"

  • "Acct-Session-Id"

  • "Acct-Authentic"

  • "Acct-Session-Time"

  • "Acct-Input-Packets"

  • "Acct-Output-Packets"

  • "Acct-Terminate-Cause"

  • "Acct-Multi-Session-Id"

  • "Acct-Link-Count"

  • "CHAP-Challenge"

  • "NAS-Port-Type"

  • "Port-Limit"

  • "Login-LAT-Port"

rsso-ep-one-ip-only

string

Deprecated, please rename it to rsso_ep_one_ip_only. Enable/disable the replacement of old IP addresses with new o…

Choices:

  • "disable"

  • "enable"

rsso-flush-ip-session

string

Deprecated, please rename it to rsso_flush_ip_session. Enable/disable flushing user IP sessions on RADIUS accounti…

Choices:

  • "disable"

  • "enable"

rsso-log-flags

list / elements=string

Deprecated, please rename it to rsso_log_flags. Events to log.

Choices:

  • "none"

  • "protocol-error"

  • "profile-missing"

  • "context-missing"

  • "accounting-stop-missed"

  • "accounting-event"

  • "radiusd-other"

  • "endpoint-block"

rsso-log-period

integer

Deprecated, please rename it to rsso_log_period. Time interval in seconds that group event log messages will be ge…

rsso-radius-response

string

Deprecated, please rename it to rsso_radius_response. Enable/disable sending RADIUS response packets after receivi…

Choices:

  • "disable"

  • "enable"

rsso-radius-server-port

integer

Deprecated, please rename it to rsso_radius_server_port. UDP port to listen on for RADIUS Start and Stop records.

rsso-secret

any

(list) Deprecated, please rename it to rsso_secret. RADIUS secret used by the RADIUS accounting server.

rsso-validate-request-secret

string

Deprecated, please rename it to rsso_validate_request_secret. Enable/disable validating the RADIUS request shared …

Choices:

  • "disable"

  • "enable"

secondary-secret

any

(list) Deprecated, please rename it to secondary_secret. Secret key to access the secondary server.

secondary-server

string

Deprecated, please rename it to secondary_server. No description

secret

any

(list) Pre-shared secret key used to access the primary RADIUS server.

server

string

Primary RADIUS server CN domain name or IP address.

server-identity-check

string

Deprecated, please rename it to server_identity_check. Enable/disable RADIUS server identity check

Choices:

  • "disable"

  • "enable"

source-ip

string

Deprecated, please rename it to source_ip. Source IP address for communications to the RADIUS server.

sso-attribute

string

Deprecated, please rename it to sso_attribute. RADIUS attribute that contains the profile group name to be extract…

Choices:

  • "User-Name"

  • "User-Password"

  • "CHAP-Password"

  • "NAS-IP-Address"

  • "NAS-Port"

  • "Service-Type"

  • "Framed-Protocol"

  • "Framed-IP-Address"

  • "Framed-IP-Netmask"

  • "Framed-Routing"

  • "Filter-Id"

  • "Framed-MTU"

  • "Framed-Compression"

  • "Login-IP-Host"

  • "Login-Service"

  • "Login-TCP-Port"

  • "Reply-Message"

  • "Callback-Number"

  • "Callback-Id"

  • "Framed-Route"

  • "Framed-IPX-Network"

  • "State"

  • "Class"

  • "Session-Timeout"

  • "Idle-Timeout"

  • "Termination-Action"

  • "Called-Station-Id"

  • "Calling-Station-Id"

  • "NAS-Identifier"

  • "Proxy-State"

  • "Login-LAT-Service"

  • "Login-LAT-Node"

  • "Login-LAT-Group"

  • "Framed-AppleTalk-Link"

  • "Framed-AppleTalk-Network"

  • "Framed-AppleTalk-Zone"

  • "Acct-Status-Type"

  • "Acct-Delay-Time"

  • "Acct-Input-Octets"

  • "Acct-Output-Octets"

  • "Acct-Session-Id"

  • "Acct-Authentic"

  • "Acct-Session-Time"

  • "Acct-Input-Packets"

  • "Acct-Output-Packets"

  • "Acct-Terminate-Cause"

  • "Acct-Multi-Session-Id"

  • "Acct-Link-Count"

  • "CHAP-Challenge"

  • "NAS-Port-Type"

  • "Port-Limit"

  • "Login-LAT-Port"

sso-attribute-key

string

Deprecated, please rename it to sso_attribute_key. Key prefix for SSO group value in the SSO attribute.

sso-attribute-value-override

string

Deprecated, please rename it to sso_attribute_value_override. Enable/disable override old attribute value with new…

Choices:

  • "disable"

  • "enable"

status-ttl

integer

Deprecated, please rename it to status_ttl. Time for which server reachability is cached so that when a server is …

switch-controller-acct-fast-framedip-detect

integer

Deprecated, please rename it to switch_controller_acct_fast_framedip_detect. Switch-Controller-Acct-Fast-Framedip-…

switch-controller-nas-ip-dynamic

string

Deprecated, please rename it to switch_controller_nas_ip_dynamic. Enable/Disable switch-controller nas-ip dynamic …

Choices:

  • "disable"

  • "enable"

switch-controller-service-type

list / elements=string

Deprecated, please rename it to switch_controller_service_type. Switch-Controller-Service-Type.

Choices:

  • "login"

  • "framed"

  • "callback-login"

  • "callback-framed"

  • "outbound"

  • "administrative"

  • "nas-prompt"

  • "authenticate-only"

  • "callback-nas-prompt"

  • "call-check"

  • "callback-administrative"

tertiary-secret

any

(list) Deprecated, please rename it to tertiary_secret. Secret key to access the tertiary server.

tertiary-server

string

Deprecated, please rename it to tertiary_server. No description

timeout

integer

Time in seconds between re-sending authentication requests.

tls-min-proto-version

string

Deprecated, please rename it to tls_min_proto_version. Minimum supported protocol version for TLS connections

Choices:

  • "default"

  • "TLSv1"

  • "TLSv1-1"

  • "TLSv1-2"

  • "SSLv3"

  • "TLSv1-3"

transport-protocol

string

Deprecated, please rename it to transport_protocol. Transport protocol to be used

Choices:

  • "udp"

  • "tcp"

  • "tls"

use-group-for-profile

string

Deprecated, please rename it to use_group_for_profile. Use-Group-For-Profile.

Choices:

  • "disable"

  • "enable"

use-management-vdom

string

Deprecated, please rename it to use_management_vdom. Enable/disable using management VDOM to send requests.

Choices:

  • "disable"

  • "enable"

username-case-sensitive

string

Deprecated, please rename it to username_case_sensitive. Enable/disable case sensitive user names.

Choices:

  • "disable"

  • "enable"

group-override-attr-type

string

Deprecated, please rename it to group_override_attr_type. RADIUS attribute type to override user group information.

Choices:

  • "filter-Id"

  • "class"

h3c-compatibility

string

Deprecated, please rename it to h3c_compatibility. Enable/disable compatibility with the H3C, a mechanism that performs se…

Choices:

  • "disable"

  • "enable"

interface

string

Specify outgoing interface to reach server.

interface-select-method

string

Deprecated, please rename it to interface_select_method. Specify how to select outgoing interface to reach server.

Choices:

  • "auto"

  • "sdwan"

  • "specify"

mac-case

string

Deprecated, please rename it to mac_case. MAC authentication case

Choices:

  • "uppercase"

  • "lowercase"

mac-password-delimiter

string

Deprecated, please rename it to mac_password_delimiter. MAC authentication password delimiter

Choices:

  • "hyphen"

  • "single-hyphen"

  • "colon"

  • "none"

mac-username-delimiter

string

Deprecated, please rename it to mac_username_delimiter. MAC authentication username delimiter

Choices:

  • "hyphen"

  • "single-hyphen"

  • "colon"

  • "none"

name

string / required

RADIUS server entry name.

nas-id

string

Deprecated, please rename it to nas_id. Custom NAS identifier.

nas-id-type

string

Deprecated, please rename it to nas_id_type. NAS identifier type configuration

Choices:

  • "legacy"

  • "custom"

  • "hostname"

nas-ip

string

Deprecated, please rename it to nas_ip. IP address used to communicate with the RADIUS server and used as NAS-IP-Address a…

password-encoding

string

Deprecated, please rename it to password_encoding. Password encoding.

Choices:

  • "ISO-8859-1"

  • "auto"

password-renewal

string

Deprecated, please rename it to password_renewal. Enable/disable password renewal.

Choices:

  • "disable"

  • "enable"

radius-coa

string

Deprecated, please rename it to radius_coa. Enable to allow a mechanism to change the attributes of an authentication, aut…

Choices:

  • "disable"

  • "enable"

radius-port

integer

Deprecated, please rename it to radius_port. RADIUS service port number.

rsso

string

Enable/disable RADIUS based single sign on feature.

Choices:

  • "disable"

  • "enable"

rsso-context-timeout

integer

Deprecated, please rename it to rsso_context_timeout. Time in seconds before the logged out user is removed from the user …

rsso-endpoint-attribute

string

Deprecated, please rename it to rsso_endpoint_attribute. RADIUS attributes used to extract the user end point identifer fr…

Choices:

  • "User-Name"

  • "User-Password"

  • "CHAP-Password"

  • "NAS-IP-Address"

  • "NAS-Port"

  • "Service-Type"

  • "Framed-Protocol"

  • "Framed-IP-Address"

  • "Framed-IP-Netmask"

  • "Framed-Routing"

  • "Filter-Id"

  • "Framed-MTU"

  • "Framed-Compression"

  • "Login-IP-Host"

  • "Login-Service"

  • "Login-TCP-Port"

  • "Reply-Message"

  • "Callback-Number"

  • "Callback-Id"

  • "Framed-Route"

  • "Framed-IPX-Network"

  • "State"

  • "Class"

  • "Session-Timeout"

  • "Idle-Timeout"

  • "Termination-Action"

  • "Called-Station-Id"

  • "Calling-Station-Id"

  • "NAS-Identifier"

  • "Proxy-State"

  • "Login-LAT-Service"

  • "Login-LAT-Node"

  • "Login-LAT-Group"

  • "Framed-AppleTalk-Link"

  • "Framed-AppleTalk-Network"

  • "Framed-AppleTalk-Zone"

  • "Acct-Status-Type"

  • "Acct-Delay-Time"

  • "Acct-Input-Octets"

  • "Acct-Output-Octets"

  • "Acct-Session-Id"

  • "Acct-Authentic"

  • "Acct-Session-Time"

  • "Acct-Input-Packets"

  • "Acct-Output-Packets"

  • "Acct-Terminate-Cause"

  • "Acct-Multi-Session-Id"

  • "Acct-Link-Count"

  • "CHAP-Challenge"

  • "NAS-Port-Type"

  • "Port-Limit"

  • "Login-LAT-Port"

rsso-endpoint-block-attribute

string

Deprecated, please rename it to rsso_endpoint_block_attribute. RADIUS attributes used to block a user.

Choices:

  • "User-Name"

  • "User-Password"

  • "CHAP-Password"

  • "NAS-IP-Address"

  • "NAS-Port"

  • "Service-Type"

  • "Framed-Protocol"

  • "Framed-IP-Address"

  • "Framed-IP-Netmask"

  • "Framed-Routing"

  • "Filter-Id"

  • "Framed-MTU"

  • "Framed-Compression"

  • "Login-IP-Host"

  • "Login-Service"

  • "Login-TCP-Port"

  • "Reply-Message"

  • "Callback-Number"

  • "Callback-Id"

  • "Framed-Route"

  • "Framed-IPX-Network"

  • "State"

  • "Class"

  • "Session-Timeout"

  • "Idle-Timeout"

  • "Termination-Action"

  • "Called-Station-Id"

  • "Calling-Station-Id"

  • "NAS-Identifier"

  • "Proxy-State"

  • "Login-LAT-Service"

  • "Login-LAT-Node"

  • "Login-LAT-Group"

  • "Framed-AppleTalk-Link"

  • "Framed-AppleTalk-Network"

  • "Framed-AppleTalk-Zone"

  • "Acct-Status-Type"

  • "Acct-Delay-Time"

  • "Acct-Input-Octets"

  • "Acct-Output-Octets"

  • "Acct-Session-Id"

  • "Acct-Authentic"

  • "Acct-Session-Time"

  • "Acct-Input-Packets"

  • "Acct-Output-Packets"

  • "Acct-Terminate-Cause"

  • "Acct-Multi-Session-Id"

  • "Acct-Link-Count"

  • "CHAP-Challenge"

  • "NAS-Port-Type"

  • "Port-Limit"

  • "Login-LAT-Port"

rsso-ep-one-ip-only

string

Deprecated, please rename it to rsso_ep_one_ip_only. Enable/disable the replacement of old IP addresses with new ones for …

Choices:

  • "disable"

  • "enable"

rsso-flush-ip-session

string

Deprecated, please rename it to rsso_flush_ip_session. Enable/disable flushing user IP sessions on RADIUS accounting Stop …

Choices:

  • "disable"

  • "enable"

rsso-log-flags

list / elements=string

Deprecated, please rename it to rsso_log_flags. Events to log.

Choices:

  • "none"

  • "protocol-error"

  • "profile-missing"

  • "context-missing"

  • "accounting-stop-missed"

  • "accounting-event"

  • "radiusd-other"

  • "endpoint-block"

rsso-log-period

integer

Deprecated, please rename it to rsso_log_period. Time interval in seconds that group event log messages will be generated …

rsso-radius-response

string

Deprecated, please rename it to rsso_radius_response. Enable/disable sending RADIUS response packets after receiving Start…

Choices:

  • "disable"

  • "enable"

rsso-radius-server-port

integer

Deprecated, please rename it to rsso_radius_server_port. UDP port to listen on for RADIUS Start and Stop records.

rsso-secret

any

(list) Deprecated, please rename it to rsso_secret. RADIUS secret used by the RADIUS accounting server.

rsso-validate-request-secret

string

Deprecated, please rename it to rsso_validate_request_secret. Enable/disable validating the RADIUS request shared secret i…

Choices:

  • "disable"

  • "enable"

secondary-secret

any

(list) Deprecated, please rename it to secondary_secret. Secret key to access the secondary server.

secondary-server

string

Deprecated, please rename it to secondary_server. No description

secret

any

(list) Pre-shared secret key used to access the primary RADIUS server.

server

string

Primary RADIUS server CN domain name or IP address.

server-identity-check

string

Deprecated, please rename it to server_identity_check. Enable/disable RADIUS server identity check

Choices:

  • "disable"

  • "enable"

source-ip

string

Deprecated, please rename it to source_ip. Source IP address for communications to the RADIUS server.

sso-attribute

string

Deprecated, please rename it to sso_attribute. RADIUS attribute that contains the profile group name to be extracted from …

Choices:

  • "User-Name"

  • "User-Password"

  • "CHAP-Password"

  • "NAS-IP-Address"

  • "NAS-Port"

  • "Service-Type"

  • "Framed-Protocol"

  • "Framed-IP-Address"

  • "Framed-IP-Netmask"

  • "Framed-Routing"

  • "Filter-Id"

  • "Framed-MTU"

  • "Framed-Compression"

  • "Login-IP-Host"

  • "Login-Service"

  • "Login-TCP-Port"

  • "Reply-Message"

  • "Callback-Number"

  • "Callback-Id"

  • "Framed-Route"

  • "Framed-IPX-Network"

  • "State"

  • "Class"

  • "Session-Timeout"

  • "Idle-Timeout"

  • "Termination-Action"

  • "Called-Station-Id"

  • "Calling-Station-Id"

  • "NAS-Identifier"

  • "Proxy-State"

  • "Login-LAT-Service"

  • "Login-LAT-Node"

  • "Login-LAT-Group"

  • "Framed-AppleTalk-Link"

  • "Framed-AppleTalk-Network"

  • "Framed-AppleTalk-Zone"

  • "Acct-Status-Type"

  • "Acct-Delay-Time"

  • "Acct-Input-Octets"

  • "Acct-Output-Octets"

  • "Acct-Session-Id"

  • "Acct-Authentic"

  • "Acct-Session-Time"

  • "Acct-Input-Packets"

  • "Acct-Output-Packets"

  • "Acct-Terminate-Cause"

  • "Acct-Multi-Session-Id"

  • "Acct-Link-Count"

  • "CHAP-Challenge"

  • "NAS-Port-Type"

  • "Port-Limit"

  • "Login-LAT-Port"

sso-attribute-key

string

Deprecated, please rename it to sso_attribute_key. Key prefix for SSO group value in the SSO attribute.

sso-attribute-value-override

string

Deprecated, please rename it to sso_attribute_value_override. Enable/disable override old attribute value with new value f…

Choices:

  • "disable"

  • "enable"

status-ttl

integer

Deprecated, please rename it to status_ttl. Time for which server reachability is cached so that when a server is unreacha…

switch-controller-acct-fast-framedip-detect

integer

Deprecated, please rename it to switch_controller_acct_fast_framedip_detect. Switch controller accounting message Framed-I…

switch-controller-nas-ip-dynamic

string

Deprecated, please rename it to switch_controller_nas_ip_dynamic. Enable/Disable switch-controller nas-ip dynamic to dynam…

Choices:

  • "disable"

  • "enable"

switch-controller-service-type

list / elements=string

Deprecated, please rename it to switch_controller_service_type. RADIUS service type.

Choices:

  • "login"

  • "framed"

  • "callback-login"

  • "callback-framed"

  • "outbound"

  • "administrative"

  • "nas-prompt"

  • "authenticate-only"

  • "callback-nas-prompt"

  • "call-check"

  • "callback-administrative"

tertiary-secret

any

(list) Deprecated, please rename it to tertiary_secret. Secret key to access the tertiary server.

tertiary-server

string

Deprecated, please rename it to tertiary_server. No description

timeout

integer

Time in seconds between re-sending authentication requests.

tls-min-proto-version

string

Deprecated, please rename it to tls_min_proto_version. Minimum supported protocol version for TLS connections

Choices:

  • "default"

  • "TLSv1"

  • "TLSv1-1"

  • "TLSv1-2"

  • "SSLv3"

  • "TLSv1-3"

transport-protocol

string

Deprecated, please rename it to transport_protocol. Transport protocol to be used

Choices:

  • "udp"

  • "tcp"

  • "tls"

use-management-vdom

string

Deprecated, please rename it to use_management_vdom. Enable/disable using management VDOM to send requests.

Choices:

  • "disable"

  • "enable"

username-case-sensitive

string

Deprecated, please rename it to username_case_sensitive. Enable/disable case sensitive user names.

Choices:

  • "disable"

  • "enable"

workspace_locking_adom

string

The adom to lock for FortiManager running in workspace mode, the value can be global and others including root.

workspace_locking_timeout

integer

The maximum time in seconds to wait for other user to release the workspace lock.

Default: 300

Notes

Note

  • Starting in version 2.4.0, all input arguments are named using the underscore naming convention (snake_case). Please change the arguments such as “var-name” to “var_name”. Old argument names are still available yet you will receive deprecation warnings. You can ignore this warning by setting deprecation_warnings=False in ansible.cfg.

  • Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work.

  • To create or update an object, use state present directive.

  • To delete an object, use state absent directive.

  • Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded

Examples

- name: Example playbook
  hosts: fortimanagers
  connection: httpapi
  vars:
    ansible_httpapi_use_ssl: true
    ansible_httpapi_validate_certs: false
    ansible_httpapi_port: 443
  tasks:
    - name: Configure RADIUS server entries.
      fortinet.fortimanager.fmgr_user_radius:
        bypass_validation: false
        adom: ansible
        state: present
        user_radius:
          name: ansible-test-radius
          server: ansible
          timeout: 200

- name: Gathering fortimanager facts
  hosts: fortimanagers
  gather_facts: false
  connection: httpapi
  vars:
    ansible_httpapi_use_ssl: true
    ansible_httpapi_validate_certs: false
    ansible_httpapi_port: 443
  tasks:
    - name: Retrieve all the RADIUS server entries
      fortinet.fortimanager.fmgr_fact:
        facts:
          selector: "user_radius"
          params:
            adom: "ansible"
            radius: "your_value"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

meta

dictionary

The result of the request.

Returned: always

request_url

string

The full url requested.

Returned: always

Sample: "/sys/login/user"

response_code

integer

The status of api request.

Returned: always

Sample: 0

response_data

list / elements=string

The api response.

Returned: always

response_message

string

The descriptive message of the api response.

Returned: always

Sample: "OK."

system_information

dictionary

The information of the target system.

Returned: always

rc

integer

The status the request.

Returned: always

Sample: 0

version_check_warning

list / elements=string

Warning if the parameters used in the playbook are not supported by the current FortiManager version.

Returned: complex

Authors

  • Xinwei Du (@dux-fortinet)

  • Xing Li (@lix-fortinet)

  • Jie Xue (@JieX19)

  • Link Zheng (@chillancezen)

  • Frank Shen (@fshen01)

  • Hongbin Lu (@fgtdev-hblu)