fortinet.fortimanager.fmgr_user_radius module – Configure RADIUS server entries.

Note

This module is part of the fortinet.fortimanager collection (version 2.7.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install fortinet.fortimanager.

To use it in a playbook, specify: fortinet.fortimanager.fmgr_user_radius.

New in fortinet.fortimanager 2.0.0

Synopsis

  • This module is able to configure a FortiManager device.

  • Examples include all parameters and values which need to be adjusted to data sources before usage.

Parameters

Parameter

Comments

access_token

string

The token to access FortiManager without using username and password.

adom

string / required

The parameter (adom) in requested url.

bypass_validation

boolean

Only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters.

Choices:

  • false ← (default)

  • true

enable_log

boolean

Enable/Disable logging for task.

Choices:

  • false ← (default)

  • true

forticloud_access_token

string

Authenticate Ansible client with forticloud API access token.

proposed_method

string

The overridden method for the underlying Json RPC request.

Choices:

  • "update"

  • "set"

  • "add"

rc_failed

list / elements=integer

The rc codes list with which the conditions to fail will be overriden.

rc_succeeded

list / elements=integer

The rc codes list with which the conditions to succeed will be overriden.

state

string / required

The directive to create, update or delete an object.

Choices:

  • "present"

  • "absent"

user_radius

dictionary

The top level parameters set.

account-key-cert-field

string

Deprecated, please rename it to account_key_cert_field. Define subject identity field in certificate for user access right…

Choices:

  • "othername"

  • "rfc822name"

  • "dnsname"

  • "cn"

account-key-processing

string

Deprecated, please rename it to account_key_processing. Account key processing operation.

Choices:

  • "same"

  • "strip"

accounting-server

list / elements=dictionary

Deprecated, please rename it to accounting_server. Accounting server.

id

integer

ID

interface

string

Specify outgoing interface to reach server.

interface-select-method

string

Deprecated, please rename it to interface_select_method. Specify how to select outgoing interface to reach server.

Choices:

  • "auto"

  • "sdwan"

  • "specify"

port

integer

RADIUS accounting port number.

secret

any

(list) Secret key.

server

string

No description

source-ip

string

Deprecated, please rename it to source_ip. Source IP address for communications to the RADIUS server.

status

string

Status.

Choices:

  • "disable"

  • "enable"

acct-all-servers

string

Deprecated, please rename it to acct_all_servers. Enable/disable sending of accounting messages to all configured servers

Choices:

  • "disable"

  • "enable"

acct-interim-interval

integer

Deprecated, please rename it to acct_interim_interval. Time in seconds between each accounting interim update message.

all-usergroup

string

Deprecated, please rename it to all_usergroup. Enable/disable automatically including this RADIUS server in all user groups.

Choices:

  • "disable"

  • "enable"

auth-type

string

Deprecated, please rename it to auth_type. Authentication methods/protocols permitted for this RADIUS server.

Choices:

  • "pap"

  • "chap"

  • "ms_chap"

  • "ms_chap_v2"

  • "auto"

ca-cert

string

Deprecated, please rename it to ca_cert. CA of server to trust under TLS.

call-station-id-type

string

Deprecated, please rename it to call_station_id_type. Calling & Called station identifier type configuration

Choices:

  • "legacy"

  • "IP"

  • "MAC"

class

any

(list) Class attribute name

client-cert

string

Deprecated, please rename it to client_cert. Client certificate to use under TLS.

delimiter

string

Configure delimiter to be used for separating profile group names in the SSO attribute

Choices:

  • "plus"

  • "comma"

dynamic_mapping

list / elements=dictionary

Dynamic mapping.

_scope

list / elements=dictionary

Scope.

name

string

Name.

vdom

string

Vdom.

account-key-cert-field

string

Deprecated, please rename it to account_key_cert_field. Define subject identity field in certificate for user acce…

Choices:

  • "othername"

  • "rfc822name"

  • "dnsname"

  • "cn"

account-key-processing

string

Deprecated, please rename it to account_key_processing. Account key processing operation.

Choices:

  • "same"

  • "strip"

accounting-server

list / elements=dictionary

Deprecated, please rename it to accounting_server. Accounting server.

id

integer

Id.

interface

string

Interface.

interface-select-method

string

Deprecated, please rename it to interface_select_method. Interface select method.

Choices:

  • "auto"

  • "sdwan"

  • "specify"

port

integer

Port.

secret

any

(list) Secret.

server

string

Server.

source-ip

string

Deprecated, please rename it to source_ip. Source ip.

status

string

Status.

Choices:

  • "disable"

  • "enable"

acct-all-servers

string

Deprecated, please rename it to acct_all_servers. Acct all servers.

Choices:

  • "disable"

  • "enable"

acct-interim-interval

integer

Deprecated, please rename it to acct_interim_interval. Acct interim interval.

all-usergroup

string

Deprecated, please rename it to all_usergroup. All usergroup.

Choices:

  • "disable"

  • "enable"

auth-type

string

Deprecated, please rename it to auth_type. Auth type.

Choices:

  • "pap"

  • "chap"

  • "ms_chap"

  • "ms_chap_v2"

  • "auto"

ca-cert

string

Deprecated, please rename it to ca_cert. CA of server to trust under TLS.

call-station-id-type

string

Deprecated, please rename it to call_station_id_type. Calling & Called station identifier type configuration

Choices:

  • "legacy"

  • "IP"

  • "MAC"

class

any

(list) Class.

client-cert

string

Deprecated, please rename it to client_cert. Client certificate to use under TLS.

delimiter

string

Configure delimiter to be used for separating profile group names in the SSO attribute

Choices:

  • "plus"

  • "comma"

dp-carrier-endpoint-attribute

string

Deprecated, please rename it to dp_carrier_endpoint_attribute. Dp carrier endpoint attribute.

Choices:

  • "User-Name"

  • "User-Password"

  • "CHAP-Password"

  • "NAS-IP-Address"

  • "NAS-Port"

  • "Service-Type"

  • "Framed-Protocol"

  • "Framed-IP-Address"

  • "Framed-IP-Netmask"

  • "Framed-Routing"

  • "Filter-Id"

  • "Framed-MTU"

  • "Framed-Compression"

  • "Login-IP-Host"

  • "Login-Service"

  • "Login-TCP-Port"

  • "Reply-Message"

  • "Callback-Number"

  • "Callback-Id"

  • "Framed-Route"

  • "Framed-IPX-Network"

  • "State"

  • "Class"

  • "Vendor-Specific"

  • "Session-Timeout"

  • "Idle-Timeout"

  • "Termination-Action"

  • "Called-Station-Id"

  • "Calling-Station-Id"

  • "NAS-Identifier"

  • "Proxy-State"

  • "Login-LAT-Service"

  • "Login-LAT-Node"

  • "Login-LAT-Group"

  • "Framed-AppleTalk-Link"

  • "Framed-AppleTalk-Network"

  • "Framed-AppleTalk-Zone"

  • "Acct-Status-Type"

  • "Acct-Delay-Time"

  • "Acct-Input-Octets"

  • "Acct-Output-Octets"

  • "Acct-Session-Id"

  • "Acct-Authentic"

  • "Acct-Session-Time"

  • "Acct-Input-Packets"

  • "Acct-Output-Packets"

  • "Acct-Terminate-Cause"

  • "Acct-Multi-Session-Id"

  • "Acct-Link-Count"

  • "CHAP-Challenge"

  • "NAS-Port-Type"

  • "Port-Limit"

  • "Login-LAT-Port"

dp-carrier-endpoint-block-attribute

string

Deprecated, please rename it to dp_carrier_endpoint_block_attribute. Dp carrier endpoint block attribute.

Choices:

  • "User-Name"

  • "User-Password"

  • "CHAP-Password"

  • "NAS-IP-Address"

  • "NAS-Port"

  • "Service-Type"

  • "Framed-Protocol"

  • "Framed-IP-Address"

  • "Framed-IP-Netmask"

  • "Framed-Routing"

  • "Filter-Id"

  • "Framed-MTU"

  • "Framed-Compression"

  • "Login-IP-Host"

  • "Login-Service"

  • "Login-TCP-Port"

  • "Reply-Message"

  • "Callback-Number"

  • "Callback-Id"

  • "Framed-Route"

  • "Framed-IPX-Network"

  • "State"

  • "Class"

  • "Vendor-Specific"

  • "Session-Timeout"

  • "Idle-Timeout"

  • "Termination-Action"

  • "Called-Station-Id"

  • "Calling-Station-Id"

  • "NAS-Identifier"

  • "Proxy-State"

  • "Login-LAT-Service"

  • "Login-LAT-Node"

  • "Login-LAT-Group"

  • "Framed-AppleTalk-Link"

  • "Framed-AppleTalk-Network"

  • "Framed-AppleTalk-Zone"

  • "Acct-Status-Type"

  • "Acct-Delay-Time"

  • "Acct-Input-Octets"

  • "Acct-Output-Octets"

  • "Acct-Session-Id"

  • "Acct-Authentic"

  • "Acct-Session-Time"

  • "Acct-Input-Packets"

  • "Acct-Output-Packets"

  • "Acct-Terminate-Cause"

  • "Acct-Multi-Session-Id"

  • "Acct-Link-Count"

  • "CHAP-Challenge"

  • "NAS-Port-Type"

  • "Port-Limit"

  • "Login-LAT-Port"

dp-context-timeout

integer

Deprecated, please rename it to dp_context_timeout. Dp context timeout.

dp-flush-ip-session

string

Deprecated, please rename it to dp_flush_ip_session. Dp flush ip session.

Choices:

  • "disable"

  • "enable"

dp-hold-time

integer

Deprecated, please rename it to dp_hold_time. Dp hold time.

dp-http-header

string

Deprecated, please rename it to dp_http_header. Dp http header.

dp-http-header-fallback

string

Deprecated, please rename it to dp_http_header_fallback. Dp http header fallback.

Choices:

  • "ip-header-address"

  • "default-profile"

dp-http-header-status

string

Deprecated, please rename it to dp_http_header_status. Dp http header status.

Choices:

  • "disable"

  • "enable"

dp-http-header-suppress

string

Deprecated, please rename it to dp_http_header_suppress. Dp http header suppress.

Choices:

  • "disable"

  • "enable"

dp-log-dyn_flags

list / elements=string

Deprecated, please rename it to dp_log_dyn_flags. Dp log dyn flags.

Choices:

  • "none"

  • "protocol-error"

  • "profile-missing"

  • "context-missing"

  • "accounting-stop-missed"

  • "accounting-event"

  • "radiusd-other"

  • "endpoint-block"

dp-log-period

integer

Deprecated, please rename it to dp_log_period. Dp log period.

dp-mem-percent

integer

Deprecated, please rename it to dp_mem_percent. Dp mem percent.

dp-profile-attribute

string

Deprecated, please rename it to dp_profile_attribute. Dp profile attribute.

Choices:

  • "User-Name"

  • "User-Password"

  • "CHAP-Password"

  • "NAS-IP-Address"

  • "NAS-Port"

  • "Service-Type"

  • "Framed-Protocol"

  • "Framed-IP-Address"

  • "Framed-IP-Netmask"

  • "Framed-Routing"

  • "Filter-Id"

  • "Framed-MTU"

  • "Framed-Compression"

  • "Login-IP-Host"

  • "Login-Service"

  • "Login-TCP-Port"

  • "Reply-Message"

  • "Callback-Number"

  • "Callback-Id"

  • "Framed-Route"

  • "Framed-IPX-Network"

  • "State"

  • "Class"

  • "Vendor-Specific"

  • "Session-Timeout"

  • "Idle-Timeout"

  • "Termination-Action"

  • "Called-Station-Id"

  • "Calling-Station-Id"

  • "NAS-Identifier"

  • "Proxy-State"

  • "Login-LAT-Service"

  • "Login-LAT-Node"

  • "Login-LAT-Group"

  • "Framed-AppleTalk-Link"

  • "Framed-AppleTalk-Network"

  • "Framed-AppleTalk-Zone"

  • "Acct-Status-Type"

  • "Acct-Delay-Time"

  • "Acct-Input-Octets"

  • "Acct-Output-Octets"

  • "Acct-Session-Id"

  • "Acct-Authentic"

  • "Acct-Session-Time"

  • "Acct-Input-Packets"

  • "Acct-Output-Packets"

  • "Acct-Terminate-Cause"

  • "Acct-Multi-Session-Id"

  • "Acct-Link-Count"

  • "CHAP-Challenge"

  • "NAS-Port-Type"

  • "Port-Limit"

  • "Login-LAT-Port"

dp-profile-attribute-key

string

Deprecated, please rename it to dp_profile_attribute_key. Dp profile attribute key.

dp-radius-response

string

Deprecated, please rename it to dp_radius_response. Dp radius response.

Choices:

  • "disable"

  • "enable"

dp-radius-server-port

integer

Deprecated, please rename it to dp_radius_server_port. Dp radius server port.

dp-secret

any

(list) Deprecated, please rename it to dp_secret. Dp secret.

dp-validate-request-secret

string

Deprecated, please rename it to dp_validate_request_secret. Dp validate request secret.

Choices:

  • "disable"

  • "enable"

dynamic-profile

string

Deprecated, please rename it to dynamic_profile. Dynamic profile.

Choices:

  • "disable"

  • "enable"

endpoint-translation

string

Deprecated, please rename it to endpoint_translation. Endpoint translation.

Choices:

  • "disable"

  • "enable"

ep-carrier-endpoint-convert-hex

string

Deprecated, please rename it to ep_carrier_endpoint_convert_hex. Ep carrier endpoint convert hex.

Choices:

  • "disable"

  • "enable"

ep-carrier-endpoint-header

string

Deprecated, please rename it to ep_carrier_endpoint_header. Ep carrier endpoint header.

ep-carrier-endpoint-header-suppress

string

Deprecated, please rename it to ep_carrier_endpoint_header_suppress. Ep carrier endpoint header suppress.

Choices:

  • "disable"

  • "enable"

ep-carrier-endpoint-prefix

string

Deprecated, please rename it to ep_carrier_endpoint_prefix. Ep carrier endpoint prefix.

Choices:

  • "disable"

  • "enable"

ep-carrier-endpoint-prefix-range-max

integer

Deprecated, please rename it to ep_carrier_endpoint_prefix_range_max. Ep carrier endpoint prefix range max.

ep-carrier-endpoint-prefix-range-min

integer

Deprecated, please rename it to ep_carrier_endpoint_prefix_range_min. Ep carrier endpoint prefix range min.

ep-carrier-endpoint-prefix-string

string

Deprecated, please rename it to ep_carrier_endpoint_prefix_string. Ep carrier endpoint prefix string.

ep-carrier-endpoint-source

string

Deprecated, please rename it to ep_carrier_endpoint_source. Ep carrier endpoint source.

Choices:

  • "http-header"

  • "cookie"

ep-ip-header

string

Deprecated, please rename it to ep_ip_header. Ep ip header.

ep-ip-header-suppress

string

Deprecated, please rename it to ep_ip_header_suppress. Ep ip header suppress.

Choices:

  • "disable"

  • "enable"

ep-missing-header-fallback

string

Deprecated, please rename it to ep_missing_header_fallback. Ep missing header fallback.

Choices:

  • "session-ip"

  • "policy-profile"

ep-profile-query-type

string

Deprecated, please rename it to ep_profile_query_type. Ep profile query type.

Choices:

  • "session-ip"

  • "extract-ip"

  • "extract-carrier-endpoint"

group-override-attr-type

string

Deprecated, please rename it to group_override_attr_type. Group override attr type.

Choices:

  • "filter-Id"

  • "class"

h3c-compatibility

string

Deprecated, please rename it to h3c_compatibility. H3c compatibility.

Choices:

  • "disable"

  • "enable"

interface

string

Interface.

interface-select-method

string

Deprecated, please rename it to interface_select_method. Interface select method.

Choices:

  • "auto"

  • "sdwan"

  • "specify"

mac-case

string

Deprecated, please rename it to mac_case. MAC authentication case

Choices:

  • "uppercase"

  • "lowercase"

mac-password-delimiter

string

Deprecated, please rename it to mac_password_delimiter. MAC authentication password delimiter

Choices:

  • "hyphen"

  • "single-hyphen"

  • "colon"

  • "none"

mac-username-delimiter

string

Deprecated, please rename it to mac_username_delimiter. MAC authentication username delimiter

Choices:

  • "hyphen"

  • "single-hyphen"

  • "colon"

  • "none"

nas-id

string

Deprecated, please rename it to nas_id. Custom NAS identifier.

nas-id-type

string

Deprecated, please rename it to nas_id_type. NAS identifier type configuration

Choices:

  • "legacy"

  • "custom"

  • "hostname"

nas-ip

string

Deprecated, please rename it to nas_ip. Nas ip.

password-encoding

string

Deprecated, please rename it to password_encoding. Password encoding.

Choices:

  • "ISO-8859-1"

  • "auto"

password-renewal

string

Deprecated, please rename it to password_renewal. Password renewal.

Choices:

  • "disable"

  • "enable"

radius-coa

string

Deprecated, please rename it to radius_coa. Radius coa.

Choices:

  • "disable"

  • "enable"

radius-port

integer

Deprecated, please rename it to radius_port. Radius port.

rsso

string

Rsso.

Choices:

  • "disable"

  • "enable"

rsso-context-timeout

integer

Deprecated, please rename it to rsso_context_timeout. Rsso context timeout.

rsso-endpoint-attribute

string

Deprecated, please rename it to rsso_endpoint_attribute. Rsso endpoint attribute.

Choices:

  • "User-Name"

  • "User-Password"

  • "CHAP-Password"

  • "NAS-IP-Address"

  • "NAS-Port"

  • "Service-Type"

  • "Framed-Protocol"

  • "Framed-IP-Address"

  • "Framed-IP-Netmask"

  • "Framed-Routing"

  • "Filter-Id"

  • "Framed-MTU"

  • "Framed-Compression"

  • "Login-IP-Host"

  • "Login-Service"

  • "Login-TCP-Port"

  • "Reply-Message"

  • "Callback-Number"

  • "Callback-Id"

  • "Framed-Route"

  • "Framed-IPX-Network"

  • "State"

  • "Class"

  • "Session-Timeout"

  • "Idle-Timeout"

  • "Termination-Action"

  • "Called-Station-Id"

  • "Calling-Station-Id"

  • "NAS-Identifier"

  • "Proxy-State"

  • "Login-LAT-Service"

  • "Login-LAT-Node"

  • "Login-LAT-Group"

  • "Framed-AppleTalk-Link"

  • "Framed-AppleTalk-Network"

  • "Framed-AppleTalk-Zone"

  • "Acct-Status-Type"

  • "Acct-Delay-Time"

  • "Acct-Input-Octets"

  • "Acct-Output-Octets"

  • "Acct-Session-Id"

  • "Acct-Authentic"

  • "Acct-Session-Time"

  • "Acct-Input-Packets"

  • "Acct-Output-Packets"

  • "Acct-Terminate-Cause"

  • "Acct-Multi-Session-Id"

  • "Acct-Link-Count"

  • "CHAP-Challenge"

  • "NAS-Port-Type"

  • "Port-Limit"

  • "Login-LAT-Port"

rsso-endpoint-block-attribute

string

Deprecated, please rename it to rsso_endpoint_block_attribute. Rsso endpoint block attribute.

Choices:

  • "User-Name"

  • "User-Password"

  • "CHAP-Password"

  • "NAS-IP-Address"

  • "NAS-Port"

  • "Service-Type"

  • "Framed-Protocol"

  • "Framed-IP-Address"

  • "Framed-IP-Netmask"

  • "Framed-Routing"

  • "Filter-Id"

  • "Framed-MTU"

  • "Framed-Compression"

  • "Login-IP-Host"

  • "Login-Service"

  • "Login-TCP-Port"

  • "Reply-Message"

  • "Callback-Number"

  • "Callback-Id"

  • "Framed-Route"

  • "Framed-IPX-Network"

  • "State"

  • "Class"

  • "Session-Timeout"

  • "Idle-Timeout"

  • "Termination-Action"

  • "Called-Station-Id"

  • "Calling-Station-Id"

  • "NAS-Identifier"

  • "Proxy-State"

  • "Login-LAT-Service"

  • "Login-LAT-Node"

  • "Login-LAT-Group"

  • "Framed-AppleTalk-Link"

  • "Framed-AppleTalk-Network"

  • "Framed-AppleTalk-Zone"

  • "Acct-Status-Type"

  • "Acct-Delay-Time"

  • "Acct-Input-Octets"

  • "Acct-Output-Octets"

  • "Acct-Session-Id"

  • "Acct-Authentic"

  • "Acct-Session-Time"

  • "Acct-Input-Packets"

  • "Acct-Output-Packets"

  • "Acct-Terminate-Cause"

  • "Acct-Multi-Session-Id"

  • "Acct-Link-Count"

  • "CHAP-Challenge"

  • "NAS-Port-Type"

  • "Port-Limit"

  • "Login-LAT-Port"

rsso-ep-one-ip-only

string

Deprecated, please rename it to rsso_ep_one_ip_only. Rsso ep one ip only.

Choices:

  • "disable"

  • "enable"

rsso-flush-ip-session

string

Deprecated, please rename it to rsso_flush_ip_session. Rsso flush ip session.

Choices:

  • "disable"

  • "enable"

rsso-log-flags

list / elements=string

Deprecated, please rename it to rsso_log_flags. Rsso log flags.

Choices:

  • "none"

  • "protocol-error"

  • "profile-missing"

  • "context-missing"

  • "accounting-stop-missed"

  • "accounting-event"

  • "radiusd-other"

  • "endpoint-block"

rsso-log-period

integer

Deprecated, please rename it to rsso_log_period. Rsso log period.

rsso-radius-response

string

Deprecated, please rename it to rsso_radius_response. Rsso radius response.

Choices:

  • "disable"

  • "enable"

rsso-radius-server-port

integer

Deprecated, please rename it to rsso_radius_server_port. Rsso radius server port.

rsso-secret

any

(list) Deprecated, please rename it to rsso_secret. Rsso secret.

rsso-validate-request-secret

string

Deprecated, please rename it to rsso_validate_request_secret. Rsso validate request secret.

Choices:

  • "disable"

  • "enable"

secondary-secret

any

(list) Deprecated, please rename it to secondary_secret. Secondary secret.

secondary-server

string

Deprecated, please rename it to secondary_server. Secondary server.

secret

any

(list) Secret.

server

string

Server.

server-identity-check

string

Deprecated, please rename it to server_identity_check. Enable/disable RADIUS server identity check

Choices:

  • "disable"

  • "enable"

source-ip

string

Deprecated, please rename it to source_ip. Source ip.

source-ip-interface

any

(list) Deprecated, please rename it to source_ip_interface. Source interface for communication with the RADIUS server.

sso-attribute

string

Deprecated, please rename it to sso_attribute. Sso attribute.

Choices:

  • "User-Name"

  • "User-Password"

  • "CHAP-Password"

  • "NAS-IP-Address"

  • "NAS-Port"

  • "Service-Type"

  • "Framed-Protocol"

  • "Framed-IP-Address"

  • "Framed-IP-Netmask"

  • "Framed-Routing"

  • "Filter-Id"

  • "Framed-MTU"

  • "Framed-Compression"

  • "Login-IP-Host"

  • "Login-Service"

  • "Login-TCP-Port"

  • "Reply-Message"

  • "Callback-Number"

  • "Callback-Id"

  • "Framed-Route"

  • "Framed-IPX-Network"

  • "State"

  • "Class"

  • "Session-Timeout"

  • "Idle-Timeout"

  • "Termination-Action"

  • "Called-Station-Id"

  • "Calling-Station-Id"

  • "NAS-Identifier"

  • "Proxy-State"

  • "Login-LAT-Service"

  • "Login-LAT-Node"

  • "Login-LAT-Group"

  • "Framed-AppleTalk-Link"

  • "Framed-AppleTalk-Network"

  • "Framed-AppleTalk-Zone"

  • "Acct-Status-Type"

  • "Acct-Delay-Time"

  • "Acct-Input-Octets"

  • "Acct-Output-Octets"

  • "Acct-Session-Id"

  • "Acct-Authentic"

  • "Acct-Session-Time"

  • "Acct-Input-Packets"

  • "Acct-Output-Packets"

  • "Acct-Terminate-Cause"

  • "Acct-Multi-Session-Id"

  • "Acct-Link-Count"

  • "CHAP-Challenge"

  • "NAS-Port-Type"

  • "Port-Limit"

  • "Login-LAT-Port"

sso-attribute-key

string

Deprecated, please rename it to sso_attribute_key. Sso attribute key.

sso-attribute-value-override

string

Deprecated, please rename it to sso_attribute_value_override. Sso attribute value override.

Choices:

  • "disable"

  • "enable"

status-ttl

integer

Deprecated, please rename it to status_ttl. Time for which server reachability is cached so that when a server is …

switch-controller-acct-fast-framedip-detect

integer

Deprecated, please rename it to switch_controller_acct_fast_framedip_detect. Switch controller acct fast framedip …

switch-controller-nas-ip-dynamic

string

Deprecated, please rename it to switch_controller_nas_ip_dynamic. Enable/Disable switch-controller nas-ip dynamic …

Choices:

  • "disable"

  • "enable"

switch-controller-service-type

list / elements=string

Deprecated, please rename it to switch_controller_service_type. Switch controller service type.

Choices:

  • "login"

  • "framed"

  • "callback-login"

  • "callback-framed"

  • "outbound"

  • "administrative"

  • "nas-prompt"

  • "authenticate-only"

  • "callback-nas-prompt"

  • "call-check"

  • "callback-administrative"

tertiary-secret

any

(list) Deprecated, please rename it to tertiary_secret. Tertiary secret.

tertiary-server

string

Deprecated, please rename it to tertiary_server. Tertiary server.

timeout

integer

Timeout.

tls-min-proto-version

string

Deprecated, please rename it to tls_min_proto_version. Minimum supported protocol version for TLS connections

Choices:

  • "default"

  • "TLSv1"

  • "TLSv1-1"

  • "TLSv1-2"

  • "SSLv3"

  • "TLSv1-3"

transport-protocol

string

Deprecated, please rename it to transport_protocol. Transport protocol to be used

Choices:

  • "udp"

  • "tcp"

  • "tls"

use-group-for-profile

string

Deprecated, please rename it to use_group_for_profile. Use group for profile.

Choices:

  • "disable"

  • "enable"

use-management-vdom

string

Deprecated, please rename it to use_management_vdom. Use management vdom.

Choices:

  • "disable"

  • "enable"

username-case-sensitive

string

Deprecated, please rename it to username_case_sensitive. Username case sensitive.

Choices:

  • "disable"

  • "enable"

group-override-attr-type

string

Deprecated, please rename it to group_override_attr_type. RADIUS attribute type to override user group information.

Choices:

  • "filter-Id"

  • "class"

h3c-compatibility

string

Deprecated, please rename it to h3c_compatibility. Enable/disable compatibility with the H3C, a mechanism that performs se…

Choices:

  • "disable"

  • "enable"

interface

string

Specify outgoing interface to reach server.

interface-select-method

string

Deprecated, please rename it to interface_select_method. Specify how to select outgoing interface to reach server.

Choices:

  • "auto"

  • "sdwan"

  • "specify"

mac-case

string

Deprecated, please rename it to mac_case. MAC authentication case

Choices:

  • "uppercase"

  • "lowercase"

mac-password-delimiter

string

Deprecated, please rename it to mac_password_delimiter. MAC authentication password delimiter

Choices:

  • "hyphen"

  • "single-hyphen"

  • "colon"

  • "none"

mac-username-delimiter

string

Deprecated, please rename it to mac_username_delimiter. MAC authentication username delimiter

Choices:

  • "hyphen"

  • "single-hyphen"

  • "colon"

  • "none"

name

string / required

RADIUS server entry name.

nas-id

string

Deprecated, please rename it to nas_id. Custom NAS identifier.

nas-id-type

string

Deprecated, please rename it to nas_id_type. NAS identifier type configuration

Choices:

  • "legacy"

  • "custom"

  • "hostname"

nas-ip

string

Deprecated, please rename it to nas_ip. IP address used to communicate with the RADIUS server and used as NAS-IP-Address a…

password-encoding

string

Deprecated, please rename it to password_encoding. Password encoding.

Choices:

  • "ISO-8859-1"

  • "auto"

password-renewal

string

Deprecated, please rename it to password_renewal. Enable/disable password renewal.

Choices:

  • "disable"

  • "enable"

radius-coa

string

Deprecated, please rename it to radius_coa. Enable to allow a mechanism to change the attributes of an authentication, aut…

Choices:

  • "disable"

  • "enable"

radius-port

integer

Deprecated, please rename it to radius_port. RADIUS service port number.

rsso

string

Enable/disable RADIUS based single sign on feature.

Choices:

  • "disable"

  • "enable"

rsso-context-timeout

integer

Deprecated, please rename it to rsso_context_timeout. Time in seconds before the logged out user is removed from the user …

rsso-endpoint-attribute

string

Deprecated, please rename it to rsso_endpoint_attribute. RADIUS attributes used to extract the user end point identifer fr…

Choices:

  • "User-Name"

  • "User-Password"

  • "CHAP-Password"

  • "NAS-IP-Address"

  • "NAS-Port"

  • "Service-Type"

  • "Framed-Protocol"

  • "Framed-IP-Address"

  • "Framed-IP-Netmask"

  • "Framed-Routing"

  • "Filter-Id"

  • "Framed-MTU"

  • "Framed-Compression"

  • "Login-IP-Host"

  • "Login-Service"

  • "Login-TCP-Port"

  • "Reply-Message"

  • "Callback-Number"

  • "Callback-Id"

  • "Framed-Route"

  • "Framed-IPX-Network"

  • "State"

  • "Class"

  • "Session-Timeout"

  • "Idle-Timeout"

  • "Termination-Action"

  • "Called-Station-Id"

  • "Calling-Station-Id"

  • "NAS-Identifier"

  • "Proxy-State"

  • "Login-LAT-Service"

  • "Login-LAT-Node"

  • "Login-LAT-Group"

  • "Framed-AppleTalk-Link"

  • "Framed-AppleTalk-Network"

  • "Framed-AppleTalk-Zone"

  • "Acct-Status-Type"

  • "Acct-Delay-Time"

  • "Acct-Input-Octets"

  • "Acct-Output-Octets"

  • "Acct-Session-Id"

  • "Acct-Authentic"

  • "Acct-Session-Time"

  • "Acct-Input-Packets"

  • "Acct-Output-Packets"

  • "Acct-Terminate-Cause"

  • "Acct-Multi-Session-Id"

  • "Acct-Link-Count"

  • "CHAP-Challenge"

  • "NAS-Port-Type"

  • "Port-Limit"

  • "Login-LAT-Port"

rsso-endpoint-block-attribute

string

Deprecated, please rename it to rsso_endpoint_block_attribute. RADIUS attributes used to block a user.

Choices:

  • "User-Name"

  • "User-Password"

  • "CHAP-Password"

  • "NAS-IP-Address"

  • "NAS-Port"

  • "Service-Type"

  • "Framed-Protocol"

  • "Framed-IP-Address"

  • "Framed-IP-Netmask"

  • "Framed-Routing"

  • "Filter-Id"

  • "Framed-MTU"

  • "Framed-Compression"

  • "Login-IP-Host"

  • "Login-Service"

  • "Login-TCP-Port"

  • "Reply-Message"

  • "Callback-Number"

  • "Callback-Id"

  • "Framed-Route"

  • "Framed-IPX-Network"

  • "State"

  • "Class"

  • "Session-Timeout"

  • "Idle-Timeout"

  • "Termination-Action"

  • "Called-Station-Id"

  • "Calling-Station-Id"

  • "NAS-Identifier"

  • "Proxy-State"

  • "Login-LAT-Service"

  • "Login-LAT-Node"

  • "Login-LAT-Group"

  • "Framed-AppleTalk-Link"

  • "Framed-AppleTalk-Network"

  • "Framed-AppleTalk-Zone"

  • "Acct-Status-Type"

  • "Acct-Delay-Time"

  • "Acct-Input-Octets"

  • "Acct-Output-Octets"

  • "Acct-Session-Id"

  • "Acct-Authentic"

  • "Acct-Session-Time"

  • "Acct-Input-Packets"

  • "Acct-Output-Packets"

  • "Acct-Terminate-Cause"

  • "Acct-Multi-Session-Id"

  • "Acct-Link-Count"

  • "CHAP-Challenge"

  • "NAS-Port-Type"

  • "Port-Limit"

  • "Login-LAT-Port"

rsso-ep-one-ip-only

string

Deprecated, please rename it to rsso_ep_one_ip_only. Enable/disable the replacement of old IP addresses with new ones for …

Choices:

  • "disable"

  • "enable"

rsso-flush-ip-session

string

Deprecated, please rename it to rsso_flush_ip_session. Enable/disable flushing user IP sessions on RADIUS accounting Stop …

Choices:

  • "disable"

  • "enable"

rsso-log-flags

list / elements=string

Deprecated, please rename it to rsso_log_flags. Events to log.

Choices:

  • "none"

  • "protocol-error"

  • "profile-missing"

  • "context-missing"

  • "accounting-stop-missed"

  • "accounting-event"

  • "radiusd-other"

  • "endpoint-block"

rsso-log-period

integer

Deprecated, please rename it to rsso_log_period. Time interval in seconds that group event log messages will be generated …

rsso-radius-response

string

Deprecated, please rename it to rsso_radius_response. Enable/disable sending RADIUS response packets after receiving Start…

Choices:

  • "disable"

  • "enable"

rsso-radius-server-port

integer

Deprecated, please rename it to rsso_radius_server_port. UDP port to listen on for RADIUS Start and Stop records.

rsso-secret

any

(list) Deprecated, please rename it to rsso_secret. RADIUS secret used by the RADIUS accounting server.

rsso-validate-request-secret

string

Deprecated, please rename it to rsso_validate_request_secret. Enable/disable validating the RADIUS request shared secret i…

Choices:

  • "disable"

  • "enable"

secondary-secret

any

(list) Deprecated, please rename it to secondary_secret. Secret key to access the secondary server.

secondary-server

string

Deprecated, please rename it to secondary_server. No description

secret

any

(list) Pre-shared secret key used to access the primary RADIUS server.

server

string

Primary RADIUS server CN domain name or IP address.

server-identity-check

string

Deprecated, please rename it to server_identity_check. Enable/disable RADIUS server identity check

Choices:

  • "disable"

  • "enable"

source-ip

string

Deprecated, please rename it to source_ip. Source IP address for communications to the RADIUS server.

source-ip-interface

any

(list) Deprecated, please rename it to source_ip_interface. Source interface for communication with the RADIUS server.

sso-attribute

string

Deprecated, please rename it to sso_attribute. RADIUS attribute that contains the profile group name to be extracted from …

Choices:

  • "User-Name"

  • "User-Password"

  • "CHAP-Password"

  • "NAS-IP-Address"

  • "NAS-Port"

  • "Service-Type"

  • "Framed-Protocol"

  • "Framed-IP-Address"

  • "Framed-IP-Netmask"

  • "Framed-Routing"

  • "Filter-Id"

  • "Framed-MTU"

  • "Framed-Compression"

  • "Login-IP-Host"

  • "Login-Service"

  • "Login-TCP-Port"

  • "Reply-Message"

  • "Callback-Number"

  • "Callback-Id"

  • "Framed-Route"

  • "Framed-IPX-Network"

  • "State"

  • "Class"

  • "Session-Timeout"

  • "Idle-Timeout"

  • "Termination-Action"

  • "Called-Station-Id"

  • "Calling-Station-Id"

  • "NAS-Identifier"

  • "Proxy-State"

  • "Login-LAT-Service"

  • "Login-LAT-Node"

  • "Login-LAT-Group"

  • "Framed-AppleTalk-Link"

  • "Framed-AppleTalk-Network"

  • "Framed-AppleTalk-Zone"

  • "Acct-Status-Type"

  • "Acct-Delay-Time"

  • "Acct-Input-Octets"

  • "Acct-Output-Octets"

  • "Acct-Session-Id"

  • "Acct-Authentic"

  • "Acct-Session-Time"

  • "Acct-Input-Packets"

  • "Acct-Output-Packets"

  • "Acct-Terminate-Cause"

  • "Acct-Multi-Session-Id"

  • "Acct-Link-Count"

  • "CHAP-Challenge"

  • "NAS-Port-Type"

  • "Port-Limit"

  • "Login-LAT-Port"

sso-attribute-key

string

Deprecated, please rename it to sso_attribute_key. Key prefix for SSO group value in the SSO attribute.

sso-attribute-value-override

string

Deprecated, please rename it to sso_attribute_value_override. Enable/disable override old attribute value with new value f…

Choices:

  • "disable"

  • "enable"

status-ttl

integer

Deprecated, please rename it to status_ttl. Time for which server reachability is cached so that when a server is unreacha…

switch-controller-acct-fast-framedip-detect

integer

Deprecated, please rename it to switch_controller_acct_fast_framedip_detect. Switch controller accounting message Framed-I…

switch-controller-nas-ip-dynamic

string

Deprecated, please rename it to switch_controller_nas_ip_dynamic. Enable/Disable switch-controller nas-ip dynamic to dynam…

Choices:

  • "disable"

  • "enable"

switch-controller-service-type

list / elements=string

Deprecated, please rename it to switch_controller_service_type. RADIUS service type.

Choices:

  • "login"

  • "framed"

  • "callback-login"

  • "callback-framed"

  • "outbound"

  • "administrative"

  • "nas-prompt"

  • "authenticate-only"

  • "callback-nas-prompt"

  • "call-check"

  • "callback-administrative"

tertiary-secret

any

(list) Deprecated, please rename it to tertiary_secret. Secret key to access the tertiary server.

tertiary-server

string

Deprecated, please rename it to tertiary_server. No description

timeout

integer

Time in seconds between re-sending authentication requests.

tls-min-proto-version

string

Deprecated, please rename it to tls_min_proto_version. Minimum supported protocol version for TLS connections

Choices:

  • "default"

  • "TLSv1"

  • "TLSv1-1"

  • "TLSv1-2"

  • "SSLv3"

  • "TLSv1-3"

transport-protocol

string

Deprecated, please rename it to transport_protocol. Transport protocol to be used

Choices:

  • "udp"

  • "tcp"

  • "tls"

use-management-vdom

string

Deprecated, please rename it to use_management_vdom. Enable/disable using management VDOM to send requests.

Choices:

  • "disable"

  • "enable"

username-case-sensitive

string

Deprecated, please rename it to username_case_sensitive. Enable/disable case sensitive user names.

Choices:

  • "disable"

  • "enable"

workspace_locking_adom

string

The adom to lock for FortiManager running in workspace mode, the value can be global and others including root.

workspace_locking_timeout

integer

The maximum time in seconds to wait for other user to release the workspace lock.

Default: 300

Notes

Note

  • Starting in version 2.4.0, all input arguments are named using the underscore naming convention (snake_case). Please change the arguments such as “var-name” to “var_name”. Old argument names are still available yet you will receive deprecation warnings. You can ignore this warning by setting deprecation_warnings=False in ansible.cfg.

  • Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work.

  • To create or update an object, use state present directive.

  • To delete an object, use state absent directive.

  • Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded

Examples

- name: Example playbook
  hosts: fortimanagers
  connection: httpapi
  vars:
    ansible_httpapi_use_ssl: true
    ansible_httpapi_validate_certs: false
    ansible_httpapi_port: 443
  tasks:
    - name: Configure RADIUS server entries.
      fortinet.fortimanager.fmgr_user_radius:
        bypass_validation: false
        adom: ansible
        state: present
        user_radius:
          name: ansible-test-radius
          server: ansible
          timeout: 200

- name: Gathering fortimanager facts
  hosts: fortimanagers
  gather_facts: false
  connection: httpapi
  vars:
    ansible_httpapi_use_ssl: true
    ansible_httpapi_validate_certs: false
    ansible_httpapi_port: 443
  tasks:
    - name: Retrieve all the RADIUS server entries
      fortinet.fortimanager.fmgr_fact:
        facts:
          selector: "user_radius"
          params:
            adom: "ansible"
            radius: "your_value"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

meta

dictionary

The result of the request.

Returned: always

request_url

string

The full url requested.

Returned: always

Sample: "/sys/login/user"

response_code

integer

The status of api request.

Returned: always

Sample: 0

response_data

list / elements=string

The api response.

Returned: always

response_message

string

The descriptive message of the api response.

Returned: always

Sample: "OK."

system_information

dictionary

The information of the target system.

Returned: always

rc

integer

The status the request.

Returned: always

Sample: 0

version_check_warning

list / elements=string

Warning if the parameters used in the playbook are not supported by the current FortiManager version.

Returned: complex

Authors

  • Xinwei Du (@dux-fortinet)

  • Xing Li (@lix-fortinet)

  • Jie Xue (@JieX19)

  • Link Zheng (@chillancezen)

  • Frank Shen (@fshen01)

  • Hongbin Lu (@fgtdev-hblu)