fortios_wireless_controller_vap – Configure Virtual Access Points (VAPs) in Fortinet’s FortiOS and FortiGate

New in version 2.8.

Synopsis

  • This module is able to configure a FortiGate or FortiOS by allowing the user to set and modify wireless_controller feature and vap category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.2

Requirements

The below requirements are needed on the host that executes this module.

  • fortiosapi>=0.9.8

Parameters

Parameter Choices/Defaults Comments
host
- / required
FortiOS or FortiGate ip address.
https
boolean
    Choices:
  • no
  • yes ←
Indicates if the requests towards FortiGate must use HTTPS protocol
password
-
Default:
""
FortiOS or FortiGate password.
username
- / required
FortiOS or FortiGate username.
vdom
-
Default:
"root"
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
wireless_controller_vap
-
Default:
null
Configure Virtual Access Points (VAPs).
acct-interim-interval
-
WiFi RADIUS accounting interim interval (60 - 86400 sec, default = 0).
alias
-
Alias.
auth
-
    Choices:
  • psk
  • radius
  • usergroup
Authentication protocol.
broadcast-ssid
-
    Choices:
  • enable
  • disable
Enable/disable broadcasting the SSID (default = enable).
broadcast-suppression
-
    Choices:
  • dhcp-up
  • dhcp-down
  • dhcp-starvation
  • arp-known
  • arp-unknown
  • arp-reply
  • arp-poison
  • arp-proxy
  • netbios-ns
  • netbios-ds
  • ipv6
  • all-other-mc
  • all-other-bc
Optional suppression of broadcast messages. For example, you can keep DHCP messages, ARP broadcasts, and so on off of the wireless network.
captive-portal-ac-name
-
Local-bridging captive portal ac-name.
captive-portal-macauth-radius-secret
-
Secret key to access the macauth RADIUS server.
captive-portal-macauth-radius-server
-
Captive portal external RADIUS server domain name or IP address.
captive-portal-radius-secret
-
Secret key to access the RADIUS server.
captive-portal-radius-server
-
Captive portal RADIUS server domain name or IP address.
captive-portal-session-timeout-interval
-
Session timeout interval (0 - 864000 sec, default = 0).
dhcp-lease-time
-
DHCP lease time in seconds for NAT IP address.
dhcp-option82-circuit-id-insertion
-
    Choices:
  • style-1
  • style-2
  • disable
Enable/disable DHCP option 82 circuit-id insert (default = disable).
dhcp-option82-insertion
-
    Choices:
  • enable
  • disable
Enable/disable DHCP option 82 insert (default = disable).
dhcp-option82-remote-id-insertion
-
    Choices:
  • style-1
  • disable
Enable/disable DHCP option 82 remote-id insert (default = disable).
dynamic-vlan
-
    Choices:
  • enable
  • disable
Enable/disable dynamic VLAN assignment.
eap-reauth
-
    Choices:
  • enable
  • disable
Enable/disable EAP re-authentication for WPA-Enterprise security.
eap-reauth-intv
-
EAP re-authentication interval (1800 - 864000 sec, default = 86400).
eapol-key-retries
-
    Choices:
  • disable
  • enable
Enable/disable retransmission of EAPOL-Key frames (message 3/4 and group message 1/2) (default = enable).
encrypt
-
    Choices:
  • TKIP
  • AES
  • TKIP-AES
Encryption protocol to use (only available when security is set to a WPA type).
external-fast-roaming
-
    Choices:
  • enable
  • disable
Enable/disable fast roaming or pre-authentication with external APs not managed by the FortiGate (default = disable).
external-logout
-
URL of external authentication logout server.
external-web
-
URL of external authentication web server.
fast-bss-transition
-
    Choices:
  • disable
  • enable
Enable/disable 802.11r Fast BSS Transition (FT) (default = disable).
fast-roaming
-
    Choices:
  • enable
  • disable
Enable/disable fast-roaming, or pre-authentication, where supported by clients (default = disable).
ft-mobility-domain
-
Mobility domain identifier in FT (1 - 65535, default = 1000).
ft-over-ds
-
    Choices:
  • disable
  • enable
Enable/disable FT over the Distribution System (DS).
ft-r0-key-lifetime
-
Lifetime of the PMK-R0 key in FT, 1-65535 minutes.
gtk-rekey
-
    Choices:
  • enable
  • disable
Enable/disable GTK rekey for WPA security.
gtk-rekey-intv
-
GTK rekey interval (1800 - 864000 sec, default = 86400).
hotspot20-profile
-
Hotspot 2.0 profile name.
intra-vap-privacy
-
    Choices:
  • enable
  • disable
Enable/disable blocking communication between clients on the same SSID (called intra-SSID privacy) (default = disable).
ip
-
IP address and subnet mask for the local standalone NAT subnet.
key
-
WEP Key.
keyindex
-
WEP key index (1 - 4).
ldpc
-
    Choices:
  • disable
  • rx
  • tx
  • rxtx
VAP low-density parity-check (LDPC) coding configuration.
local-authentication
-
    Choices:
  • enable
  • disable
Enable/disable AP local authentication.
local-bridging
-
    Choices:
  • enable
  • disable
Enable/disable bridging of wireless and Ethernet interfaces on the FortiAP (default = disable).
local-lan
-
    Choices:
  • allow
  • deny
Allow/deny traffic destined for a Class A, B, or C private IP address (default = allow).
local-standalone
-
    Choices:
  • enable
  • disable
Enable/disable AP local standalone (default = disable).
local-standalone-nat
-
    Choices:
  • enable
  • disable
Enable/disable AP local standalone NAT mode.
mac-auth-bypass
-
    Choices:
  • enable
  • disable
Enable/disable MAC authentication bypass.
mac-filter
-
    Choices:
  • enable
  • disable
Enable/disable MAC filtering to block wireless clients by mac address.
mac-filter-list
-
Create a list of MAC addresses for MAC address filtering.
id
- / required
ID.
mac
-
MAC address.
mac-filter-policy
-
    Choices:
  • allow
  • deny
Deny or allow the client with this MAC address.
mac-filter-policy-other
-
    Choices:
  • allow
  • deny
Allow or block clients with MAC addresses that are not in the filter list.
max-clients
-
Maximum number of clients that can connect simultaneously to the VAP (default = 0, meaning no limitation).
max-clients-ap
-
Maximum number of clients that can connect simultaneously to each radio (default = 0, meaning no limitation).
me-disable-thresh
-
Disable multicast enhancement when this many clients are receiving multicast traffic.
mesh-backhaul
-
    Choices:
  • enable
  • disable
Enable/disable using this VAP as a WiFi mesh backhaul (default = disable). This entry is only available when security is set to a WPA type or open.
mpsk
-
    Choices:
  • enable
  • disable
Enable/disable multiple pre-shared keys (PSKs.)
mpsk-concurrent-clients
-
Number of pre-shared keys (PSKs) to allow if multiple pre-shared keys are enabled.
mpsk-key
-
Pre-shared keys that can be used to connect to this virtual access point.
comment
-
Comment.
concurrent-clients
-
Number of clients that can connect using this pre-shared key.
key-name
- / required
Pre-shared key name.
passphrase
-
WPA Pre-shared key.
multicast-enhance
-
    Choices:
  • enable
  • disable
Enable/disable converting multicast to unicast to improve performance (default = disable).
multicast-rate
-
    Choices:
  • 0
  • 6000
  • 12000
  • 24000
Multicast rate (0, 6000, 12000, or 24000 kbps, default = 0).
name
- / required
Virtual AP name.
okc
-
    Choices:
  • disable
  • enable
Enable/disable Opportunistic Key Caching (OKC) (default = enable).
passphrase
-
WPA pre-shard key (PSK) to be used to authenticate WiFi users.
pmf
-
    Choices:
  • disable
  • enable
  • optional
Protected Management Frames (PMF) support (default = disable).
pmf-assoc-comeback-timeout
-
Protected Management Frames (PMF) comeback maximum timeout (1-20 sec).
pmf-sa-query-retry-timeout
-
Protected Management Frames (PMF) SA query retry timeout interval (1 - 5 100s of msec).
portal-message-override-group
-
Replacement message group for this VAP (only available when security is set to a captive portal type).
portal-message-overrides
-
Individual message overrides.
auth-disclaimer-page
-
Override auth-disclaimer-page message with message from portal-message-overrides group.
auth-login-failed-page
-
Override auth-login-failed-page message with message from portal-message-overrides group.
auth-login-page
-
Override auth-login-page message with message from portal-message-overrides group.
auth-reject-page
-
Override auth-reject-page message with message from portal-message-overrides group.
portal-type
-
    Choices:
  • auth
  • auth+disclaimer
  • disclaimer
  • email-collect
  • cmcc
  • cmcc-macauth
  • auth-mac
Captive portal functionality. Configure how the captive portal authenticates users and whether it includes a disclaimer.
probe-resp-suppression
-
    Choices:
  • enable
  • disable
Enable/disable probe response suppression (to ignore weak signals) (default = disable).
probe-resp-threshold
-
Minimum signal level/threshold in dBm required for the AP response to probe requests (-95 to -20, default = -80).
ptk-rekey
-
    Choices:
  • enable
  • disable
Enable/disable PTK rekey for WPA-Enterprise security.
ptk-rekey-intv
-
PTK rekey interval (1800 - 864000 sec, default = 86400).
qos-profile
-
Quality of service profile name.
quarantine
-
    Choices:
  • enable
  • disable
Enable/disable station quarantine (default = enable).
radio-2g-threshold
-
Minimum signal level/threshold in dBm required for the AP response to receive a packet in 2.4G band (-95 to -20, default = -79).
radio-5g-threshold
-
Minimum signal level/threshold in dBm required for the AP response to receive a packet in 5G band(-95 to -20, default = -76).
radio-sensitivity
-
    Choices:
  • enable
  • disable
Enable/disable software radio sensitivity (to ignore weak signals) (default = disable).
radius-mac-auth
-
    Choices:
  • enable
  • disable
Enable/disable RADIUS-based MAC authentication of clients (default = disable).
radius-mac-auth-server
-
RADIUS-based MAC authentication server.
radius-mac-auth-usergroups
-
Selective user groups that are permitted for RADIUS mac authentication.
name
- / required
User group name.
radius-server
-
RADIUS server to be used to authenticate WiFi users.
rates-11a
-
    Choices:
  • 1
  • 1-basic
  • 2
  • 2-basic
  • 5.5
  • 5.5-basic
  • 11
  • 11-basic
  • 6
  • 6-basic
  • 9
  • 9-basic
  • 12
  • 12-basic
  • 18
  • 18-basic
  • 24
  • 24-basic
  • 36
  • 36-basic
  • 48
  • 48-basic
  • 54
  • 54-basic
Allowed data rates for 802.11a.
rates-11ac-ss12
-
    Choices:
  • mcs0/1
  • mcs1/1
  • mcs2/1
  • mcs3/1
  • mcs4/1
  • mcs5/1
  • mcs6/1
  • mcs7/1
  • mcs8/1
  • mcs9/1
  • mcs10/1
  • mcs11/1
  • mcs0/2
  • mcs1/2
  • mcs2/2
  • mcs3/2
  • mcs4/2
  • mcs5/2
  • mcs6/2
  • mcs7/2
  • mcs8/2
  • mcs9/2
  • mcs10/2
  • mcs11/2
Allowed data rates for 802.11ac with 1 or 2 spatial streams.
rates-11ac-ss34
-
    Choices:
  • mcs0/3
  • mcs1/3
  • mcs2/3
  • mcs3/3
  • mcs4/3
  • mcs5/3
  • mcs6/3
  • mcs7/3
  • mcs8/3
  • mcs9/3
  • mcs10/3
  • mcs11/3
  • mcs0/4
  • mcs1/4
  • mcs2/4
  • mcs3/4
  • mcs4/4
  • mcs5/4
  • mcs6/4
  • mcs7/4
  • mcs8/4
  • mcs9/4
  • mcs10/4
  • mcs11/4
Allowed data rates for 802.11ac with 3 or 4 spatial streams.
rates-11bg
-
    Choices:
  • 1
  • 1-basic
  • 2
  • 2-basic
  • 5.5
  • 5.5-basic
  • 11
  • 11-basic
  • 6
  • 6-basic
  • 9
  • 9-basic
  • 12
  • 12-basic
  • 18
  • 18-basic
  • 24
  • 24-basic
  • 36
  • 36-basic
  • 48
  • 48-basic
  • 54
  • 54-basic
Allowed data rates for 802.11b/g.
rates-11n-ss12
-
    Choices:
  • mcs0/1
  • mcs1/1
  • mcs2/1
  • mcs3/1
  • mcs4/1
  • mcs5/1
  • mcs6/1
  • mcs7/1
  • mcs8/2
  • mcs9/2
  • mcs10/2
  • mcs11/2
  • mcs12/2
  • mcs13/2
  • mcs14/2
  • mcs15/2
Allowed data rates for 802.11n with 1 or 2 spatial streams.
rates-11n-ss34
-
    Choices:
  • mcs16/3
  • mcs17/3
  • mcs18/3
  • mcs19/3
  • mcs20/3
  • mcs21/3
  • mcs22/3
  • mcs23/3
  • mcs24/4
  • mcs25/4
  • mcs26/4
  • mcs27/4
  • mcs28/4
  • mcs29/4
  • mcs30/4
  • mcs31/4
Allowed data rates for 802.11n with 3 or 4 spatial streams.
schedule
-
VAP schedule name.
security
-
    Choices:
  • open
  • captive-portal
  • wep64
  • wep128
  • wpa-personal
  • wpa-personal+captive-portal
  • wpa-enterprise
  • wpa-only-personal
  • wpa-only-personal+captive-portal
  • wpa-only-enterprise
  • wpa2-only-personal
  • wpa2-only-personal+captive-portal
  • wpa2-only-enterprise
  • osen
Security mode for the wireless interface (default = wpa2-only-personal).
security-exempt-list
-
Optional security exempt list for captive portal authentication.
security-obsolete-option
-
    Choices:
  • enable
  • disable
Enable/disable obsolete security options.
security-redirect-url
-
Optional URL for redirecting users after they pass captive portal authentication.
selected-usergroups
-
Selective user groups that are permitted to authenticate.
name
- / required
User group name.
split-tunneling
-
    Choices:
  • enable
  • disable
Enable/disable split tunneling (default = disable).
ssid
-
IEEE 802.11 service set identifier (SSID) for the wireless interface. Users who wish to use the wireless network must configure their computers to access this SSID name.
state
-
    Choices:
  • present
  • absent
Indicates whether to create or remove the object
tkip-counter-measure
-
    Choices:
  • enable
  • disable
Enable/disable TKIP counter measure.
usergroup
-
Firewall user group to be used to authenticate WiFi users.
name
- / required
User group name.
utm-profile
-
UTM profile name.
vdom
-
Name of the VDOM that the Virtual AP has been added to. Source system.vdom.name.
vlan-auto
-
    Choices:
  • enable
  • disable
Enable/disable automatic management of SSID VLAN interface.
vlan-pool
-
VLAN pool.
id
- / required
ID.
wtp-group
-
WTP group name.
vlan-pooling
-
    Choices:
  • wtp-group
  • round-robin
  • hash
  • disable
Enable/disable VLAN pooling, to allow grouping of multiple wireless controller VLANs into VLAN pools (default = disable). When set to wtp-group, VLAN pooling occurs with VLAN assignment by wtp-group.
vlanid
-
Optional VLAN ID.
voice-enterprise
-
    Choices:
  • disable
  • enable
Enable/disable 802.11k and 802.11v assisted Voice-Enterprise roaming (default = disable).

Notes

Note

  • Requires fortiosapi library developed by Fortinet
  • Run as a local_action in your playbook

Examples

- hosts: localhost
  vars:
   host: "192.168.122.40"
   username: "admin"
   password: ""
   vdom: "root"
  tasks:
  - name: Configure Virtual Access Points (VAPs).
    fortios_wireless_controller_vap:
      host:  "{{ host }}"
      username: "{{ username }}"
      password: "{{ password }}"
      vdom:  "{{ vdom }}"
      https: "False"
      wireless_controller_vap:
        state: "present"
        acct-interim-interval: "3"
        alias: "<your_own_value>"
        auth: "psk"
        broadcast-ssid: "enable"
        broadcast-suppression: "dhcp-up"
        captive-portal-ac-name: "<your_own_value>"
        captive-portal-macauth-radius-secret: "<your_own_value>"
        captive-portal-macauth-radius-server: "<your_own_value>"
        captive-portal-radius-secret: "<your_own_value>"
        captive-portal-radius-server: "<your_own_value>"
        captive-portal-session-timeout-interval: "13"
        dhcp-lease-time: "14"
        dhcp-option82-circuit-id-insertion: "style-1"
        dhcp-option82-insertion: "enable"
        dhcp-option82-remote-id-insertion: "style-1"
        dynamic-vlan: "enable"
        eap-reauth: "enable"
        eap-reauth-intv: "20"
        eapol-key-retries: "disable"
        encrypt: "TKIP"
        external-fast-roaming: "enable"
        external-logout: "<your_own_value>"
        external-web: "<your_own_value>"
        fast-bss-transition: "disable"
        fast-roaming: "enable"
        ft-mobility-domain: "28"
        ft-over-ds: "disable"
        ft-r0-key-lifetime: "30"
        gtk-rekey: "enable"
        gtk-rekey-intv: "32"
        hotspot20-profile: "<your_own_value>"
        intra-vap-privacy: "enable"
        ip: "<your_own_value>"
        key: "<your_own_value>"
        keyindex: "37"
        ldpc: "disable"
        local-authentication: "enable"
        local-bridging: "enable"
        local-lan: "allow"
        local-standalone: "enable"
        local-standalone-nat: "enable"
        mac-auth-bypass: "enable"
        mac-filter: "enable"
        mac-filter-list:
         -
            id:  "47"
            mac: "<your_own_value>"
            mac-filter-policy: "allow"
        mac-filter-policy-other: "allow"
        max-clients: "51"
        max-clients-ap: "52"
        me-disable-thresh: "53"
        mesh-backhaul: "enable"
        mpsk: "enable"
        mpsk-concurrent-clients: "56"
        mpsk-key:
         -
            comment: "Comment."
            concurrent-clients: "<your_own_value>"
            key-name: "<your_own_value>"
            passphrase: "<your_own_value>"
        multicast-enhance: "enable"
        multicast-rate: "0"
        name: "default_name_64"
        okc: "disable"
        passphrase: "<your_own_value>"
        pmf: "disable"
        pmf-assoc-comeback-timeout: "68"
        pmf-sa-query-retry-timeout: "69"
        portal-message-override-group: "<your_own_value>"
        portal-message-overrides:
            auth-disclaimer-page: "<your_own_value>"
            auth-login-failed-page: "<your_own_value>"
            auth-login-page: "<your_own_value>"
            auth-reject-page: "<your_own_value>"
        portal-type: "auth"
        probe-resp-suppression: "enable"
        probe-resp-threshold: "<your_own_value>"
        ptk-rekey: "enable"
        ptk-rekey-intv: "80"
        qos-profile: "<your_own_value>"
        quarantine: "enable"
        radio-2g-threshold: "<your_own_value>"
        radio-5g-threshold: "<your_own_value>"
        radio-sensitivity: "enable"
        radius-mac-auth: "enable"
        radius-mac-auth-server: "<your_own_value>"
        radius-mac-auth-usergroups:
         -
            name: "default_name_89"
        radius-server: "<your_own_value>"
        rates-11a: "1"
        rates-11ac-ss12: "mcs0/1"
        rates-11ac-ss34: "mcs0/3"
        rates-11bg: "1"
        rates-11n-ss12: "mcs0/1"
        rates-11n-ss34: "mcs16/3"
        schedule: "<your_own_value>"
        security: "open"
        security-exempt-list: "<your_own_value>"
        security-obsolete-option: "enable"
        security-redirect-url: "<your_own_value>"
        selected-usergroups:
         -
            name: "default_name_103"
        split-tunneling: "enable"
        ssid: "<your_own_value>"
        tkip-counter-measure: "enable"
        usergroup:
         -
            name: "default_name_108"
        utm-profile: "<your_own_value>"
        vdom: "<your_own_value> (source system.vdom.name)"
        vlan-auto: "enable"
        vlan-pool:
         -
            id:  "113"
            wtp-group: "<your_own_value>"
        vlan-pooling: "wtp-group"
        vlanid: "116"
        voice-enterprise: "disable"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
build
string
always
Build number of the fortigate image

Sample:
1547
http_method
string
always
Last method used to provision the content into FortiGate

Sample:
PUT
http_status
string
always
Last result given by FortiGate on last operation applied

Sample:
200
mkey
string
success
Master key (id) used in the last call to FortiGate

Sample:
id
name
string
always
Name of the table used to fulfill the request

Sample:
urlfilter
path
string
always
Path of the table used to fulfill the request

Sample:
webfilter
revision
string
always
Internal revision number

Sample:
17.0.2.10658
serial
string
always
Serial number of the unit

Sample:
FGVMEVYYQT3AB5352
status
string
always
Indication of the operation's result

Sample:
success
vdom
string
always
Virtual domain used

Sample:
root
version
string
always
Version of the FortiGate

Sample:
v5.6.3


Status

Authors

  • Miguel Angel Munoz (@mamunozgonzalez)
  • Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation you can edit this document to improve it.