fortinet / fortinet.fortios / 2.3.6 / module / fortios_user_radius Configure RADIUS server entries in Fortinet's FortiOS and FortiGate. | "added in version" 2.0.0 of fortinet.fortios" Authors: Link Zheng (@chillancezen), Jie Xue (@JieX19), Hongbin Lu (@fgtdev-hblu), Frank Shen (@frankshen01), Miguel Angel Munoz (@mamunozgonzalez), Nicolas Thomas (@thomnico) preview | supported by communityfortinet.fortios.fortios_user_radius (2.3.6) — module
Install with ansible-galaxy collection install fortinet.fortios:==2.3.6
collections: - name: fortinet.fortios version: 2.3.6
This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify user feature and radius category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
- name: Configure RADIUS server entries. fortinet.fortios.fortios_user_radius: vdom: "{{ vdom }}" state: "present" access_token: "<your_own_value>" user_radius: account_key_cert_field: "othername" account_key_processing: "same" accounting_server: - id: "6" interface: "<your_own_value> (source system.interface.name)" interface_select_method: "auto" port: "0" secret: "<your_own_value>" server: "192.168.100.40" source_ip: "84.230.14.43" status: "enable" acct_all_servers: "enable" acct_interim_interval: "0" all_usergroup: "disable" auth_type: "auto" ca_cert: "<your_own_value> (source vpn.certificate.ca.name)" call_station_id_type: "legacy" class: - name: "default_name_21" client_cert: "<your_own_value> (source vpn.certificate.local.name)" delimiter: "plus" group_override_attr_type: "filter-Id" h3c_compatibility: "enable" interface: "<your_own_value> (source system.interface.name)" interface_select_method: "auto" mac_case: "uppercase" mac_password_delimiter: "hyphen" mac_username_delimiter: "hyphen" name: "default_name_31" nas_id: "<your_own_value>" nas_id_type: "legacy" nas_ip: "<your_own_value>" password_encoding: "auto" password_renewal: "enable" radius_coa: "enable" radius_port: "0" rsso: "enable" rsso_context_timeout: "28800" rsso_endpoint_attribute: "User-Name" rsso_endpoint_block_attribute: "User-Name" rsso_ep_one_ip_only: "enable" rsso_flush_ip_session: "enable" rsso_log_flags: "protocol-error" rsso_log_period: "0" rsso_radius_response: "enable" rsso_radius_server_port: "1813" rsso_secret: "<your_own_value>" rsso_validate_request_secret: "enable" secondary_secret: "<your_own_value>" secondary_server: "<your_own_value>" secret: "<your_own_value>" server: "192.168.100.40" server_identity_check: "enable" source_ip: "84.230.14.43" sso_attribute: "User-Name" sso_attribute_key: "<your_own_value>" sso_attribute_value_override: "enable" status_ttl: "300" switch_controller_acct_fast_framedip_detect: "2" switch_controller_nas_ip_dynamic: "enable" switch_controller_service_type: "login" tertiary_secret: "<your_own_value>" tertiary_server: "<your_own_value>" timeout: "5" tls_min_proto_version: "default" transport_protocol: "udp" use_management_vdom: "enable" username_case_sensitive: "enable"
vdom: default: root description: - Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. type: str state: choices: - present - absent description: - Indicates whether to create or remove the object. required: true type: str enable_log: default: false description: - Enable/Disable logging for task. required: false type: bool member_path: description: - Member attribute path to operate on. - Delimited by a slash character if there are more than one attribute. - Parameter marked with member_path is legitimate for doing member operation. type: str user_radius: default: null description: - Configure RADIUS server entries. suboptions: account_key_cert_field: choices: - othername - rfc822name - dnsname description: - Define subject identity field in certificate for user access right checking. type: str account_key_processing: choices: - same - strip description: - Account key processing operation. The FortiGate will keep either the whole domain or strip the domain from the subject identity. type: str accounting_server: description: - Additional accounting servers. elements: dict suboptions: id: description: - ID (0 - 4294967295). see <a href='#notes'>Notes</a>. required: true type: int interface: description: - Specify outgoing interface to reach server. Source system.interface.name. type: str interface_select_method: choices: - auto - sdwan - specify description: - Specify how to select outgoing interface to reach server. type: str port: description: - RADIUS accounting port number. type: int secret: description: - Secret key. type: str server: description: - Server CN domain name or IP address. type: str source_ip: description: - Source IP address for communications to the RADIUS server. type: str status: choices: - enable - disable description: - Status. type: str type: list acct_all_servers: choices: - enable - disable description: - Enable/disable sending of accounting messages to all configured servers . type: str acct_interim_interval: description: - Time in seconds between each accounting interim update message. type: int all_usergroup: choices: - disable - enable description: - Enable/disable automatically including this RADIUS server in all user groups. type: str auth_type: choices: - auto - ms_chap_v2 - ms_chap - chap - pap description: - Authentication methods/protocols permitted for this RADIUS server. type: str ca_cert: description: - CA of server to trust under TLS. Source vpn.certificate.ca.name. type: str call_station_id_type: choices: - legacy - IP - MAC description: - Calling & Called station identifier type configuration , this option is not available for 802.1x authentication. type: str class: description: - Class attribute name(s). elements: dict suboptions: name: description: - Class name. required: true type: str type: list client_cert: description: - Client certificate to use under TLS. Source vpn.certificate.local.name. type: str delimiter: choices: - plus - comma description: - Configure delimiter to be used for separating profile group names in the SSO attribute . type: str group_override_attr_type: choices: - filter-Id - class description: - RADIUS attribute type to override user group information. type: str h3c_compatibility: choices: - enable - disable description: - Enable/disable compatibility with the H3C, a mechanism that performs security checking for authentication. type: str interface: description: - Specify outgoing interface to reach server. Source system.interface.name. type: str interface_select_method: choices: - auto - sdwan - specify description: - Specify how to select outgoing interface to reach server. type: str mac_case: choices: - uppercase - lowercase description: - MAC authentication case . type: str mac_password_delimiter: choices: - hyphen - single-hyphen - colon - none description: - MAC authentication password delimiter . type: str mac_username_delimiter: choices: - hyphen - single-hyphen - colon - none description: - MAC authentication username delimiter . type: str name: description: - RADIUS server entry name. required: true type: str nas_id: description: - Custom NAS identifier. type: str nas_id_type: choices: - legacy - custom - hostname description: - NAS identifier type configuration . type: str nas_ip: description: - IP address used to communicate with the RADIUS server and used as NAS-IP-Address and Called-Station-ID attributes. type: str password_encoding: choices: - auto - ISO-8859-1 description: - Password encoding. type: str password_renewal: choices: - enable - disable description: - Enable/disable password renewal. type: str radius_coa: choices: - enable - disable description: - Enable to allow a mechanism to change the attributes of an authentication, authorization, and accounting session after it is authenticated. type: str radius_port: description: - RADIUS service port number. type: int rsso: choices: - enable - disable description: - Enable/disable RADIUS based single sign on feature. type: str rsso_context_timeout: description: - Time in seconds before the logged out user is removed from the "user context list" of logged on users. type: int rsso_endpoint_attribute: choices: - User-Name - NAS-IP-Address - Framed-IP-Address - Framed-IP-Netmask - Filter-Id - Login-IP-Host - Reply-Message - Callback-Number - Callback-Id - Framed-Route - Framed-IPX-Network - Class - Called-Station-Id - Calling-Station-Id - NAS-Identifier - Proxy-State - Login-LAT-Service - Login-LAT-Node - Login-LAT-Group - Framed-AppleTalk-Zone - Acct-Session-Id - Acct-Multi-Session-Id description: - RADIUS attributes used to extract the user end point identifier from the RADIUS Start record. type: str rsso_endpoint_block_attribute: choices: - User-Name - NAS-IP-Address - Framed-IP-Address - Framed-IP-Netmask - Filter-Id - Login-IP-Host - Reply-Message - Callback-Number - Callback-Id - Framed-Route - Framed-IPX-Network - Class - Called-Station-Id - Calling-Station-Id - NAS-Identifier - Proxy-State - Login-LAT-Service - Login-LAT-Node - Login-LAT-Group - Framed-AppleTalk-Zone - Acct-Session-Id - Acct-Multi-Session-Id description: - RADIUS attributes used to block a user. type: str rsso_ep_one_ip_only: choices: - enable - disable description: - Enable/disable the replacement of old IP addresses with new ones for the same endpoint on RADIUS accounting Start messages. type: str rsso_flush_ip_session: choices: - enable - disable description: - Enable/disable flushing user IP sessions on RADIUS accounting Stop messages. type: str rsso_log_flags: choices: - protocol-error - profile-missing - accounting-stop-missed - accounting-event - endpoint-block - radiusd-other - none description: - Events to log. elements: str type: list rsso_log_period: description: - Time interval in seconds that group event log messages will be generated for dynamic profile events. type: int rsso_radius_response: choices: - enable - disable description: - Enable/disable sending RADIUS response packets after receiving Start and Stop records. type: str rsso_radius_server_port: description: - UDP port to listen on for RADIUS Start and Stop records. type: int rsso_secret: description: - RADIUS secret used by the RADIUS accounting server. type: str rsso_validate_request_secret: choices: - enable - disable description: - Enable/disable validating the RADIUS request shared secret in the Start or End record. type: str secondary_secret: description: - Secret key to access the secondary server. type: str secondary_server: description: - Secondary RADIUS CN domain name or IP address. type: str secret: description: - Pre-shared secret key used to access the primary RADIUS server. type: str server: description: - Primary RADIUS server CN domain name or IP address. type: str server_identity_check: choices: - enable - disable description: - Enable/disable RADIUS server identity check (verify server domain name/IP address against the server certificate). type: str source_ip: description: - Source IP address for communications to the RADIUS server. type: str sso_attribute: choices: - User-Name - NAS-IP-Address - Framed-IP-Address - Framed-IP-Netmask - Filter-Id - Login-IP-Host - Reply-Message - Callback-Number - Callback-Id - Framed-Route - Framed-IPX-Network - Class - Called-Station-Id - Calling-Station-Id - NAS-Identifier - Proxy-State - Login-LAT-Service - Login-LAT-Node - Login-LAT-Group - Framed-AppleTalk-Zone - Acct-Session-Id - Acct-Multi-Session-Id description: - RADIUS attribute that contains the profile group name to be extracted from the RADIUS Start record. type: str sso_attribute_key: description: - Key prefix for SSO group value in the SSO attribute. type: str sso_attribute_value_override: choices: - enable - disable description: - Enable/disable override old attribute value with new value for the same endpoint. type: str status_ttl: description: - Time for which server reachability is cached so that when a server is unreachable, it will not be retried for at least this period of time (0 = cache disabled). type: int switch_controller_acct_fast_framedip_detect: description: - Switch controller accounting message Framed-IP detection from DHCP snooping (seconds). type: int switch_controller_nas_ip_dynamic: choices: - enable - disable description: - Enable/Disable switch-controller nas-ip dynamic to dynamically set nas-ip. type: str switch_controller_service_type: choices: - login - framed - callback-login - callback-framed - outbound - administrative - nas-prompt - authenticate-only - callback-nas-prompt - call-check - callback-administrative description: - RADIUS service type. elements: str type: list tertiary_secret: description: - Secret key to access the tertiary server. type: str tertiary_server: description: - Tertiary RADIUS CN domain name or IP address. type: str timeout: description: - Time in seconds to retry connecting server. type: int tls_min_proto_version: choices: - default - SSLv3 - TLSv1 - TLSv1-1 - TLSv1-2 - TLSv1-3 description: - Minimum supported protocol version for TLS connections . type: str transport_protocol: choices: - udp - tcp - tls description: - Transport protocol to be used . type: str use_management_vdom: choices: - enable - disable description: - Enable/disable using management VDOM to send requests. type: str username_case_sensitive: choices: - enable - disable description: - Enable/disable case sensitive user names. type: str type: dict access_token: description: - Token-based authentication. Generated from GUI of Fortigate. required: false type: str member_state: choices: - present - absent description: - Add or delete a member under specified attribute path. - When member_state is specified, the state option is ignored. type: str
build: description: Build number of the fortigate image returned: always sample: '1547' type: str http_method: description: Last method used to provision the content into FortiGate returned: always sample: PUT type: str http_status: description: Last result given by FortiGate on last operation applied returned: always sample: '200' type: str mkey: description: Master key (id) used in the last call to FortiGate returned: success sample: id type: str name: description: Name of the table used to fulfill the request returned: always sample: urlfilter type: str path: description: Path of the table used to fulfill the request returned: always sample: webfilter type: str revision: description: Internal revision number returned: always sample: 17.0.2.10658 type: str serial: description: Serial number of the unit returned: always sample: FGVMEVYYQT3AB5352 type: str status: description: Indication of the operation's result returned: always sample: success type: str vdom: description: Virtual domain used returned: always sample: root type: str version: description: Version of the FortiGate returned: always sample: v5.6.3 type: str