Try SpotterConfigure Virtual Access Points (VAPs) in Fortinet's FortiOS and FortiGate.
| "added in version" 2.8 of ansible.builtin"
Authors: Miguel Angel Munoz (@mamunozgonzalez), Nicolas Thomas (@thomnico)
preview | supported by community
pipInstall with pip install ansible==2.8.20
This module is able to configure a FortiGate or FortiOS by allowing the user to set and modify wireless_controller feature and vap category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.2
- hosts: localhost
vars:
host: "192.168.122.40"
username: "admin"
password: ""
vdom: "root"
tasks:
- name: Configure Virtual Access Points (VAPs).
fortios_wireless_controller_vap:
host: "{{ host }}"
username: "{{ username }}"
password: "{{ password }}"
vdom: "{{ vdom }}"
https: "False"
wireless_controller_vap:
state: "present"
acct-interim-interval: "3"
alias: "<your_own_value>"
auth: "psk"
broadcast-ssid: "enable"
broadcast-suppression: "dhcp-up"
captive-portal-ac-name: "<your_own_value>"
captive-portal-macauth-radius-secret: "<your_own_value>"
captive-portal-macauth-radius-server: "<your_own_value>"
captive-portal-radius-secret: "<your_own_value>"
captive-portal-radius-server: "<your_own_value>"
captive-portal-session-timeout-interval: "13"
dhcp-lease-time: "14"
dhcp-option82-circuit-id-insertion: "style-1"
dhcp-option82-insertion: "enable"
dhcp-option82-remote-id-insertion: "style-1"
dynamic-vlan: "enable"
eap-reauth: "enable"
eap-reauth-intv: "20"
eapol-key-retries: "disable"
encrypt: "TKIP"
external-fast-roaming: "enable"
external-logout: "<your_own_value>"
external-web: "<your_own_value>"
fast-bss-transition: "disable"
fast-roaming: "enable"
ft-mobility-domain: "28"
ft-over-ds: "disable"
ft-r0-key-lifetime: "30"
gtk-rekey: "enable"
gtk-rekey-intv: "32"
hotspot20-profile: "<your_own_value>"
intra-vap-privacy: "enable"
ip: "<your_own_value>"
key: "<your_own_value>"
keyindex: "37"
ldpc: "disable"
local-authentication: "enable"
local-bridging: "enable"
local-lan: "allow"
local-standalone: "enable"
local-standalone-nat: "enable"
mac-auth-bypass: "enable"
mac-filter: "enable"
mac-filter-list:
-
id: "47"
mac: "<your_own_value>"
mac-filter-policy: "allow"
mac-filter-policy-other: "allow"
max-clients: "51"
max-clients-ap: "52"
me-disable-thresh: "53"
mesh-backhaul: "enable"
mpsk: "enable"
mpsk-concurrent-clients: "56"
mpsk-key:
-
comment: "Comment."
concurrent-clients: "<your_own_value>"
key-name: "<your_own_value>"
passphrase: "<your_own_value>"
multicast-enhance: "enable"
multicast-rate: "0"
name: "default_name_64"
okc: "disable"
passphrase: "<your_own_value>"
pmf: "disable"
pmf-assoc-comeback-timeout: "68"
pmf-sa-query-retry-timeout: "69"
portal-message-override-group: "<your_own_value>"
portal-message-overrides:
auth-disclaimer-page: "<your_own_value>"
auth-login-failed-page: "<your_own_value>"
auth-login-page: "<your_own_value>"
auth-reject-page: "<your_own_value>"
portal-type: "auth"
probe-resp-suppression: "enable"
probe-resp-threshold: "<your_own_value>"
ptk-rekey: "enable"
ptk-rekey-intv: "80"
qos-profile: "<your_own_value>"
quarantine: "enable"
radio-2g-threshold: "<your_own_value>"
radio-5g-threshold: "<your_own_value>"
radio-sensitivity: "enable"
radius-mac-auth: "enable"
radius-mac-auth-server: "<your_own_value>"
radius-mac-auth-usergroups:
-
name: "default_name_89"
radius-server: "<your_own_value>"
rates-11a: "1"
rates-11ac-ss12: "mcs0/1"
rates-11ac-ss34: "mcs0/3"
rates-11bg: "1"
rates-11n-ss12: "mcs0/1"
rates-11n-ss34: "mcs16/3"
schedule: "<your_own_value>"
security: "open"
security-exempt-list: "<your_own_value>"
security-obsolete-option: "enable"
security-redirect-url: "<your_own_value>"
selected-usergroups:
-
name: "default_name_103"
split-tunneling: "enable"
ssid: "<your_own_value>"
tkip-counter-measure: "enable"
usergroup:
-
name: "default_name_108"
utm-profile: "<your_own_value>"
vdom: "<your_own_value> (source system.vdom.name)"
vlan-auto: "enable"
vlan-pool:
-
id: "113"
wtp-group: "<your_own_value>"
vlan-pooling: "wtp-group"
vlanid: "116"
voice-enterprise: "disable"
host:
description:
- FortiOS or FortiGate ip address.
required: true
vdom:
default: root
description:
- Virtual domain, among those defined previously. A vdom is a virtual instance of
the FortiGate that can be configured and used as a different unit.
https:
default: true
description:
- Indicates if the requests towards FortiGate must use HTTPS protocol
type: bool
password:
default: ''
description:
- FortiOS or FortiGate password.
username:
description:
- FortiOS or FortiGate username.
required: true
wireless_controller_vap:
default: null
description:
- Configure Virtual Access Points (VAPs).
suboptions:
acct-interim-interval:
description:
- WiFi RADIUS accounting interim interval (60 - 86400 sec, default = 0).
alias:
description:
- Alias.
auth:
choices:
- psk
- radius
- usergroup
description:
- Authentication protocol.
broadcast-ssid:
choices:
- enable
- disable
description:
- Enable/disable broadcasting the SSID (default = enable).
broadcast-suppression:
choices:
- dhcp-up
- dhcp-down
- dhcp-starvation
- arp-known
- arp-unknown
- arp-reply
- arp-poison
- arp-proxy
- netbios-ns
- netbios-ds
- ipv6
- all-other-mc
- all-other-bc
description:
- Optional suppression of broadcast messages. For example, you can keep DHCP messages,
ARP broadcasts, and so on off of the wireless network.
captive-portal-ac-name:
description:
- Local-bridging captive portal ac-name.
captive-portal-macauth-radius-secret:
description:
- Secret key to access the macauth RADIUS server.
captive-portal-macauth-radius-server:
description:
- Captive portal external RADIUS server domain name or IP address.
captive-portal-radius-secret:
description:
- Secret key to access the RADIUS server.
captive-portal-radius-server:
description:
- Captive portal RADIUS server domain name or IP address.
captive-portal-session-timeout-interval:
description:
- Session timeout interval (0 - 864000 sec, default = 0).
dhcp-lease-time:
description:
- DHCP lease time in seconds for NAT IP address.
dhcp-option82-circuit-id-insertion:
choices:
- style-1
- style-2
- disable
description:
- Enable/disable DHCP option 82 circuit-id insert (default = disable).
dhcp-option82-insertion:
choices:
- enable
- disable
description:
- Enable/disable DHCP option 82 insert (default = disable).
dhcp-option82-remote-id-insertion:
choices:
- style-1
- disable
description:
- Enable/disable DHCP option 82 remote-id insert (default = disable).
dynamic-vlan:
choices:
- enable
- disable
description:
- Enable/disable dynamic VLAN assignment.
eap-reauth:
choices:
- enable
- disable
description:
- Enable/disable EAP re-authentication for WPA-Enterprise security.
eap-reauth-intv:
description:
- EAP re-authentication interval (1800 - 864000 sec, default = 86400).
eapol-key-retries:
choices:
- disable
- enable
description:
- Enable/disable retransmission of EAPOL-Key frames (message 3/4 and group message
1/2) (default = enable).
encrypt:
choices:
- TKIP
- AES
- TKIP-AES
description:
- Encryption protocol to use (only available when security is set to a WPA type).
external-fast-roaming:
choices:
- enable
- disable
description:
- Enable/disable fast roaming or pre-authentication with external APs not managed
by the FortiGate (default = disable).
external-logout:
description:
- URL of external authentication logout server.
external-web:
description:
- URL of external authentication web server.
fast-bss-transition:
choices:
- disable
- enable
description:
- Enable/disable 802.11r Fast BSS Transition (FT) (default = disable).
fast-roaming:
choices:
- enable
- disable
description:
- Enable/disable fast-roaming, or pre-authentication, where supported by clients
(default = disable).
ft-mobility-domain:
description:
- Mobility domain identifier in FT (1 - 65535, default = 1000).
ft-over-ds:
choices:
- disable
- enable
description:
- Enable/disable FT over the Distribution System (DS).
ft-r0-key-lifetime:
description:
- Lifetime of the PMK-R0 key in FT, 1-65535 minutes.
gtk-rekey:
choices:
- enable
- disable
description:
- Enable/disable GTK rekey for WPA security.
gtk-rekey-intv:
description:
- GTK rekey interval (1800 - 864000 sec, default = 86400).
hotspot20-profile:
description:
- Hotspot 2.0 profile name.
intra-vap-privacy:
choices:
- enable
- disable
description:
- Enable/disable blocking communication between clients on the same SSID (called
intra-SSID privacy) (default = disable).
ip:
description:
- IP address and subnet mask for the local standalone NAT subnet.
key:
description:
- WEP Key.
keyindex:
description:
- WEP key index (1 - 4).
ldpc:
choices:
- disable
- rx
- tx
- rxtx
description:
- VAP low-density parity-check (LDPC) coding configuration.
local-authentication:
choices:
- enable
- disable
description:
- Enable/disable AP local authentication.
local-bridging:
choices:
- enable
- disable
description:
- Enable/disable bridging of wireless and Ethernet interfaces on the FortiAP (default
= disable).
local-lan:
choices:
- allow
- deny
description:
- Allow/deny traffic destined for a Class A, B, or C private IP address (default
= allow).
local-standalone:
choices:
- enable
- disable
description:
- Enable/disable AP local standalone (default = disable).
local-standalone-nat:
choices:
- enable
- disable
description:
- Enable/disable AP local standalone NAT mode.
mac-auth-bypass:
choices:
- enable
- disable
description:
- Enable/disable MAC authentication bypass.
mac-filter:
choices:
- enable
- disable
description:
- Enable/disable MAC filtering to block wireless clients by mac address.
mac-filter-list:
description:
- Create a list of MAC addresses for MAC address filtering.
suboptions:
id:
description:
- ID.
required: true
mac:
description:
- MAC address.
mac-filter-policy:
choices:
- allow
- deny
description:
- Deny or allow the client with this MAC address.
mac-filter-policy-other:
choices:
- allow
- deny
description:
- Allow or block clients with MAC addresses that are not in the filter list.
max-clients:
description:
- Maximum number of clients that can connect simultaneously to the VAP (default
= 0, meaning no limitation).
max-clients-ap:
description:
- Maximum number of clients that can connect simultaneously to each radio (default
= 0, meaning no limitation).
me-disable-thresh:
description:
- Disable multicast enhancement when this many clients are receiving multicast
traffic.
mesh-backhaul:
choices:
- enable
- disable
description:
- Enable/disable using this VAP as a WiFi mesh backhaul (default = disable). This
entry is only available when security is set to a WPA type or open.
mpsk:
choices:
- enable
- disable
description:
- Enable/disable multiple pre-shared keys (PSKs.)
mpsk-concurrent-clients:
description:
- Number of pre-shared keys (PSKs) to allow if multiple pre-shared keys are enabled.
mpsk-key:
description:
- Pre-shared keys that can be used to connect to this virtual access point.
suboptions:
comment:
description:
- Comment.
concurrent-clients:
description:
- Number of clients that can connect using this pre-shared key.
key-name:
description:
- Pre-shared key name.
required: true
passphrase:
description:
- WPA Pre-shared key.
multicast-enhance:
choices:
- enable
- disable
description:
- Enable/disable converting multicast to unicast to improve performance (default
= disable).
multicast-rate:
choices:
- 0
- 6000
- 12000
- 24000
description:
- Multicast rate (0, 6000, 12000, or 24000 kbps, default = 0).
name:
description:
- Virtual AP name.
required: true
okc:
choices:
- disable
- enable
description:
- Enable/disable Opportunistic Key Caching (OKC) (default = enable).
passphrase:
description:
- WPA pre-shard key (PSK) to be used to authenticate WiFi users.
pmf:
choices:
- disable
- enable
- optional
description:
- Protected Management Frames (PMF) support (default = disable).
pmf-assoc-comeback-timeout:
description:
- Protected Management Frames (PMF) comeback maximum timeout (1-20 sec).
pmf-sa-query-retry-timeout:
description:
- Protected Management Frames (PMF) SA query retry timeout interval (1 - 5 100s
of msec).
portal-message-override-group:
description:
- Replacement message group for this VAP (only available when security is set
to a captive portal type).
portal-message-overrides:
description:
- Individual message overrides.
suboptions:
auth-disclaimer-page:
description:
- Override auth-disclaimer-page message with message from portal-message-overrides
group.
auth-login-failed-page:
description:
- Override auth-login-failed-page message with message from portal-message-overrides
group.
auth-login-page:
description:
- Override auth-login-page message with message from portal-message-overrides
group.
auth-reject-page:
description:
- Override auth-reject-page message with message from portal-message-overrides
group.
portal-type:
choices:
- auth
- auth+disclaimer
- disclaimer
- email-collect
- cmcc
- cmcc-macauth
- auth-mac
description:
- Captive portal functionality. Configure how the captive portal authenticates
users and whether it includes a disclaimer.
probe-resp-suppression:
choices:
- enable
- disable
description:
- Enable/disable probe response suppression (to ignore weak signals) (default
= disable).
probe-resp-threshold:
description:
- Minimum signal level/threshold in dBm required for the AP response to probe
requests (-95 to -20, default = -80).
ptk-rekey:
choices:
- enable
- disable
description:
- Enable/disable PTK rekey for WPA-Enterprise security.
ptk-rekey-intv:
description:
- PTK rekey interval (1800 - 864000 sec, default = 86400).
qos-profile:
description:
- Quality of service profile name.
quarantine:
choices:
- enable
- disable
description:
- Enable/disable station quarantine (default = enable).
radio-2g-threshold:
description:
- Minimum signal level/threshold in dBm required for the AP response to receive
a packet in 2.4G band (-95 to -20, default = -79).
radio-5g-threshold:
description:
- Minimum signal level/threshold in dBm required for the AP response to receive
a packet in 5G band(-95 to -20, default = -76).
radio-sensitivity:
choices:
- enable
- disable
description:
- Enable/disable software radio sensitivity (to ignore weak signals) (default
= disable).
radius-mac-auth:
choices:
- enable
- disable
description:
- Enable/disable RADIUS-based MAC authentication of clients (default = disable).
radius-mac-auth-server:
description:
- RADIUS-based MAC authentication server.
radius-mac-auth-usergroups:
description:
- Selective user groups that are permitted for RADIUS mac authentication.
suboptions:
name:
description:
- User group name.
required: true
radius-server:
description:
- RADIUS server to be used to authenticate WiFi users.
rates-11a:
choices:
- 1
- 1-basic
- 2
- 2-basic
- 5.5
- 5.5-basic
- 11
- 11-basic
- 6
- 6-basic
- 9
- 9-basic
- 12
- 12-basic
- 18
- 18-basic
- 24
- 24-basic
- 36
- 36-basic
- 48
- 48-basic
- 54
- 54-basic
description:
- Allowed data rates for 802.11a.
rates-11ac-ss12:
choices:
- mcs0/1
- mcs1/1
- mcs2/1
- mcs3/1
- mcs4/1
- mcs5/1
- mcs6/1
- mcs7/1
- mcs8/1
- mcs9/1
- mcs10/1
- mcs11/1
- mcs0/2
- mcs1/2
- mcs2/2
- mcs3/2
- mcs4/2
- mcs5/2
- mcs6/2
- mcs7/2
- mcs8/2
- mcs9/2
- mcs10/2
- mcs11/2
description:
- Allowed data rates for 802.11ac with 1 or 2 spatial streams.
rates-11ac-ss34:
choices:
- mcs0/3
- mcs1/3
- mcs2/3
- mcs3/3
- mcs4/3
- mcs5/3
- mcs6/3
- mcs7/3
- mcs8/3
- mcs9/3
- mcs10/3
- mcs11/3
- mcs0/4
- mcs1/4
- mcs2/4
- mcs3/4
- mcs4/4
- mcs5/4
- mcs6/4
- mcs7/4
- mcs8/4
- mcs9/4
- mcs10/4
- mcs11/4
description:
- Allowed data rates for 802.11ac with 3 or 4 spatial streams.
rates-11bg:
choices:
- 1
- 1-basic
- 2
- 2-basic
- 5.5
- 5.5-basic
- 11
- 11-basic
- 6
- 6-basic
- 9
- 9-basic
- 12
- 12-basic
- 18
- 18-basic
- 24
- 24-basic
- 36
- 36-basic
- 48
- 48-basic
- 54
- 54-basic
description:
- Allowed data rates for 802.11b/g.
rates-11n-ss12:
choices:
- mcs0/1
- mcs1/1
- mcs2/1
- mcs3/1
- mcs4/1
- mcs5/1
- mcs6/1
- mcs7/1
- mcs8/2
- mcs9/2
- mcs10/2
- mcs11/2
- mcs12/2
- mcs13/2
- mcs14/2
- mcs15/2
description:
- Allowed data rates for 802.11n with 1 or 2 spatial streams.
rates-11n-ss34:
choices:
- mcs16/3
- mcs17/3
- mcs18/3
- mcs19/3
- mcs20/3
- mcs21/3
- mcs22/3
- mcs23/3
- mcs24/4
- mcs25/4
- mcs26/4
- mcs27/4
- mcs28/4
- mcs29/4
- mcs30/4
- mcs31/4
description:
- Allowed data rates for 802.11n with 3 or 4 spatial streams.
schedule:
description:
- VAP schedule name.
security:
choices:
- open
- captive-portal
- wep64
- wep128
- wpa-personal
- wpa-personal+captive-portal
- wpa-enterprise
- wpa-only-personal
- wpa-only-personal+captive-portal
- wpa-only-enterprise
- wpa2-only-personal
- wpa2-only-personal+captive-portal
- wpa2-only-enterprise
- osen
description:
- Security mode for the wireless interface (default = wpa2-only-personal).
security-exempt-list:
description:
- Optional security exempt list for captive portal authentication.
security-obsolete-option:
choices:
- enable
- disable
description:
- Enable/disable obsolete security options.
security-redirect-url:
description:
- Optional URL for redirecting users after they pass captive portal authentication.
selected-usergroups:
description:
- Selective user groups that are permitted to authenticate.
suboptions:
name:
description:
- User group name.
required: true
split-tunneling:
choices:
- enable
- disable
description:
- Enable/disable split tunneling (default = disable).
ssid:
description:
- IEEE 802.11 service set identifier (SSID) for the wireless interface. Users
who wish to use the wireless network must configure their computers to access
this SSID name.
state:
choices:
- present
- absent
description:
- Indicates whether to create or remove the object
tkip-counter-measure:
choices:
- enable
- disable
description:
- Enable/disable TKIP counter measure.
usergroup:
description:
- Firewall user group to be used to authenticate WiFi users.
suboptions:
name:
description:
- User group name.
required: true
utm-profile:
description:
- UTM profile name.
vdom:
description:
- Name of the VDOM that the Virtual AP has been added to. Source system.vdom.name.
vlan-auto:
choices:
- enable
- disable
description:
- Enable/disable automatic management of SSID VLAN interface.
vlan-pool:
description:
- VLAN pool.
suboptions:
id:
description:
- ID.
required: true
wtp-group:
description:
- WTP group name.
vlan-pooling:
choices:
- wtp-group
- round-robin
- hash
- disable
description:
- Enable/disable VLAN pooling, to allow grouping of multiple wireless controller
VLANs into VLAN pools (default = disable). When set to wtp-group, VLAN pooling
occurs with VLAN assignment by wtp-group.
vlanid:
description:
- Optional VLAN ID.
voice-enterprise:
choices:
- disable
- enable
description:
- Enable/disable 802.11k and 802.11v assisted Voice-Enterprise roaming (default
= disable).
build: description: Build number of the fortigate image returned: always sample: '1547' type: str http_method: description: Last method used to provision the content into FortiGate returned: always sample: PUT type: str http_status: description: Last result given by FortiGate on last operation applied returned: always sample: '200' type: str mkey: description: Master key (id) used in the last call to FortiGate returned: success sample: id type: str name: description: Name of the table used to fulfill the request returned: always sample: urlfilter type: str path: description: Path of the table used to fulfill the request returned: always sample: webfilter type: str revision: description: Internal revision number returned: always sample: 17.0.2.10658 type: str serial: description: Serial number of the unit returned: always sample: FGVMEVYYQT3AB5352 type: str status: description: Indication of the operation's result returned: always sample: success type: str vdom: description: Virtual domain used returned: always sample: root type: str version: description: Version of the FortiGate returned: always sample: v5.6.3 type: str