Try SpotterConfigure RADIUS server entries in Fortinet's FortiOS and FortiGate.
| "added in version" 2.0.0 of fortinet.fortios"
Authors: Link Zheng (@chillancezen), Jie Xue (@JieX19), Hongbin Lu (@fgtdev-hblu), Frank Shen (@frankshen01), Miguel Angel Munoz (@mamunozgonzalez), Nicolas Thomas (@thomnico)
preview | supported by community
Install with ansible-galaxy collection install fortinet.fortios:==2.3.6
collections:
- name: fortinet.fortios
version: 2.3.6This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify user feature and radius category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
- name: Configure RADIUS server entries.
fortinet.fortios.fortios_user_radius:
vdom: "{{ vdom }}"
state: "present"
access_token: "<your_own_value>"
user_radius:
account_key_cert_field: "othername"
account_key_processing: "same"
accounting_server:
-
id: "6"
interface: "<your_own_value> (source system.interface.name)"
interface_select_method: "auto"
port: "0"
secret: "<your_own_value>"
server: "192.168.100.40"
source_ip: "84.230.14.43"
status: "enable"
acct_all_servers: "enable"
acct_interim_interval: "0"
all_usergroup: "disable"
auth_type: "auto"
ca_cert: "<your_own_value> (source vpn.certificate.ca.name)"
call_station_id_type: "legacy"
class:
-
name: "default_name_21"
client_cert: "<your_own_value> (source vpn.certificate.local.name)"
delimiter: "plus"
group_override_attr_type: "filter-Id"
h3c_compatibility: "enable"
interface: "<your_own_value> (source system.interface.name)"
interface_select_method: "auto"
mac_case: "uppercase"
mac_password_delimiter: "hyphen"
mac_username_delimiter: "hyphen"
name: "default_name_31"
nas_id: "<your_own_value>"
nas_id_type: "legacy"
nas_ip: "<your_own_value>"
password_encoding: "auto"
password_renewal: "enable"
radius_coa: "enable"
radius_port: "0"
rsso: "enable"
rsso_context_timeout: "28800"
rsso_endpoint_attribute: "User-Name"
rsso_endpoint_block_attribute: "User-Name"
rsso_ep_one_ip_only: "enable"
rsso_flush_ip_session: "enable"
rsso_log_flags: "protocol-error"
rsso_log_period: "0"
rsso_radius_response: "enable"
rsso_radius_server_port: "1813"
rsso_secret: "<your_own_value>"
rsso_validate_request_secret: "enable"
secondary_secret: "<your_own_value>"
secondary_server: "<your_own_value>"
secret: "<your_own_value>"
server: "192.168.100.40"
server_identity_check: "enable"
source_ip: "84.230.14.43"
sso_attribute: "User-Name"
sso_attribute_key: "<your_own_value>"
sso_attribute_value_override: "enable"
status_ttl: "300"
switch_controller_acct_fast_framedip_detect: "2"
switch_controller_nas_ip_dynamic: "enable"
switch_controller_service_type: "login"
tertiary_secret: "<your_own_value>"
tertiary_server: "<your_own_value>"
timeout: "5"
tls_min_proto_version: "default"
transport_protocol: "udp"
use_management_vdom: "enable"
username_case_sensitive: "enable"
vdom:
default: root
description:
- Virtual domain, among those defined previously. A vdom is a virtual instance of
the FortiGate that can be configured and used as a different unit.
type: str
state:
choices:
- present
- absent
description:
- Indicates whether to create or remove the object.
required: true
type: str
enable_log:
default: false
description:
- Enable/Disable logging for task.
required: false
type: bool
member_path:
description:
- Member attribute path to operate on.
- Delimited by a slash character if there are more than one attribute.
- Parameter marked with member_path is legitimate for doing member operation.
type: str
user_radius:
default: null
description:
- Configure RADIUS server entries.
suboptions:
account_key_cert_field:
choices:
- othername
- rfc822name
- dnsname
description:
- Define subject identity field in certificate for user access right checking.
type: str
account_key_processing:
choices:
- same
- strip
description:
- Account key processing operation. The FortiGate will keep either the whole domain
or strip the domain from the subject identity.
type: str
accounting_server:
description:
- Additional accounting servers.
elements: dict
suboptions:
id:
description:
- ID (0 - 4294967295). see <a href='#notes'>Notes</a>.
required: true
type: int
interface:
description:
- Specify outgoing interface to reach server. Source system.interface.name.
type: str
interface_select_method:
choices:
- auto
- sdwan
- specify
description:
- Specify how to select outgoing interface to reach server.
type: str
port:
description:
- RADIUS accounting port number.
type: int
secret:
description:
- Secret key.
type: str
server:
description:
- Server CN domain name or IP address.
type: str
source_ip:
description:
- Source IP address for communications to the RADIUS server.
type: str
status:
choices:
- enable
- disable
description:
- Status.
type: str
type: list
acct_all_servers:
choices:
- enable
- disable
description:
- Enable/disable sending of accounting messages to all configured servers .
type: str
acct_interim_interval:
description:
- Time in seconds between each accounting interim update message.
type: int
all_usergroup:
choices:
- disable
- enable
description:
- Enable/disable automatically including this RADIUS server in all user groups.
type: str
auth_type:
choices:
- auto
- ms_chap_v2
- ms_chap
- chap
- pap
description:
- Authentication methods/protocols permitted for this RADIUS server.
type: str
ca_cert:
description:
- CA of server to trust under TLS. Source vpn.certificate.ca.name.
type: str
call_station_id_type:
choices:
- legacy
- IP
- MAC
description:
- Calling & Called station identifier type configuration , this option is not
available for 802.1x authentication.
type: str
class:
description:
- Class attribute name(s).
elements: dict
suboptions:
name:
description:
- Class name.
required: true
type: str
type: list
client_cert:
description:
- Client certificate to use under TLS. Source vpn.certificate.local.name.
type: str
delimiter:
choices:
- plus
- comma
description:
- Configure delimiter to be used for separating profile group names in the SSO
attribute .
type: str
group_override_attr_type:
choices:
- filter-Id
- class
description:
- RADIUS attribute type to override user group information.
type: str
h3c_compatibility:
choices:
- enable
- disable
description:
- Enable/disable compatibility with the H3C, a mechanism that performs security
checking for authentication.
type: str
interface:
description:
- Specify outgoing interface to reach server. Source system.interface.name.
type: str
interface_select_method:
choices:
- auto
- sdwan
- specify
description:
- Specify how to select outgoing interface to reach server.
type: str
mac_case:
choices:
- uppercase
- lowercase
description:
- MAC authentication case .
type: str
mac_password_delimiter:
choices:
- hyphen
- single-hyphen
- colon
- none
description:
- MAC authentication password delimiter .
type: str
mac_username_delimiter:
choices:
- hyphen
- single-hyphen
- colon
- none
description:
- MAC authentication username delimiter .
type: str
name:
description:
- RADIUS server entry name.
required: true
type: str
nas_id:
description:
- Custom NAS identifier.
type: str
nas_id_type:
choices:
- legacy
- custom
- hostname
description:
- NAS identifier type configuration .
type: str
nas_ip:
description:
- IP address used to communicate with the RADIUS server and used as NAS-IP-Address
and Called-Station-ID attributes.
type: str
password_encoding:
choices:
- auto
- ISO-8859-1
description:
- Password encoding.
type: str
password_renewal:
choices:
- enable
- disable
description:
- Enable/disable password renewal.
type: str
radius_coa:
choices:
- enable
- disable
description:
- Enable to allow a mechanism to change the attributes of an authentication, authorization,
and accounting session after it is authenticated.
type: str
radius_port:
description:
- RADIUS service port number.
type: int
rsso:
choices:
- enable
- disable
description:
- Enable/disable RADIUS based single sign on feature.
type: str
rsso_context_timeout:
description:
- Time in seconds before the logged out user is removed from the "user context
list" of logged on users.
type: int
rsso_endpoint_attribute:
choices:
- User-Name
- NAS-IP-Address
- Framed-IP-Address
- Framed-IP-Netmask
- Filter-Id
- Login-IP-Host
- Reply-Message
- Callback-Number
- Callback-Id
- Framed-Route
- Framed-IPX-Network
- Class
- Called-Station-Id
- Calling-Station-Id
- NAS-Identifier
- Proxy-State
- Login-LAT-Service
- Login-LAT-Node
- Login-LAT-Group
- Framed-AppleTalk-Zone
- Acct-Session-Id
- Acct-Multi-Session-Id
description:
- RADIUS attributes used to extract the user end point identifier from the RADIUS
Start record.
type: str
rsso_endpoint_block_attribute:
choices:
- User-Name
- NAS-IP-Address
- Framed-IP-Address
- Framed-IP-Netmask
- Filter-Id
- Login-IP-Host
- Reply-Message
- Callback-Number
- Callback-Id
- Framed-Route
- Framed-IPX-Network
- Class
- Called-Station-Id
- Calling-Station-Id
- NAS-Identifier
- Proxy-State
- Login-LAT-Service
- Login-LAT-Node
- Login-LAT-Group
- Framed-AppleTalk-Zone
- Acct-Session-Id
- Acct-Multi-Session-Id
description:
- RADIUS attributes used to block a user.
type: str
rsso_ep_one_ip_only:
choices:
- enable
- disable
description:
- Enable/disable the replacement of old IP addresses with new ones for the same
endpoint on RADIUS accounting Start messages.
type: str
rsso_flush_ip_session:
choices:
- enable
- disable
description:
- Enable/disable flushing user IP sessions on RADIUS accounting Stop messages.
type: str
rsso_log_flags:
choices:
- protocol-error
- profile-missing
- accounting-stop-missed
- accounting-event
- endpoint-block
- radiusd-other
- none
description:
- Events to log.
elements: str
type: list
rsso_log_period:
description:
- Time interval in seconds that group event log messages will be generated for
dynamic profile events.
type: int
rsso_radius_response:
choices:
- enable
- disable
description:
- Enable/disable sending RADIUS response packets after receiving Start and Stop
records.
type: str
rsso_radius_server_port:
description:
- UDP port to listen on for RADIUS Start and Stop records.
type: int
rsso_secret:
description:
- RADIUS secret used by the RADIUS accounting server.
type: str
rsso_validate_request_secret:
choices:
- enable
- disable
description:
- Enable/disable validating the RADIUS request shared secret in the Start or End
record.
type: str
secondary_secret:
description:
- Secret key to access the secondary server.
type: str
secondary_server:
description:
- Secondary RADIUS CN domain name or IP address.
type: str
secret:
description:
- Pre-shared secret key used to access the primary RADIUS server.
type: str
server:
description:
- Primary RADIUS server CN domain name or IP address.
type: str
server_identity_check:
choices:
- enable
- disable
description:
- Enable/disable RADIUS server identity check (verify server domain name/IP address
against the server certificate).
type: str
source_ip:
description:
- Source IP address for communications to the RADIUS server.
type: str
sso_attribute:
choices:
- User-Name
- NAS-IP-Address
- Framed-IP-Address
- Framed-IP-Netmask
- Filter-Id
- Login-IP-Host
- Reply-Message
- Callback-Number
- Callback-Id
- Framed-Route
- Framed-IPX-Network
- Class
- Called-Station-Id
- Calling-Station-Id
- NAS-Identifier
- Proxy-State
- Login-LAT-Service
- Login-LAT-Node
- Login-LAT-Group
- Framed-AppleTalk-Zone
- Acct-Session-Id
- Acct-Multi-Session-Id
description:
- RADIUS attribute that contains the profile group name to be extracted from the
RADIUS Start record.
type: str
sso_attribute_key:
description:
- Key prefix for SSO group value in the SSO attribute.
type: str
sso_attribute_value_override:
choices:
- enable
- disable
description:
- Enable/disable override old attribute value with new value for the same endpoint.
type: str
status_ttl:
description:
- Time for which server reachability is cached so that when a server is unreachable,
it will not be retried for at least this period of time (0 = cache disabled).
type: int
switch_controller_acct_fast_framedip_detect:
description:
- Switch controller accounting message Framed-IP detection from DHCP snooping
(seconds).
type: int
switch_controller_nas_ip_dynamic:
choices:
- enable
- disable
description:
- Enable/Disable switch-controller nas-ip dynamic to dynamically set nas-ip.
type: str
switch_controller_service_type:
choices:
- login
- framed
- callback-login
- callback-framed
- outbound
- administrative
- nas-prompt
- authenticate-only
- callback-nas-prompt
- call-check
- callback-administrative
description:
- RADIUS service type.
elements: str
type: list
tertiary_secret:
description:
- Secret key to access the tertiary server.
type: str
tertiary_server:
description:
- Tertiary RADIUS CN domain name or IP address.
type: str
timeout:
description:
- Time in seconds to retry connecting server.
type: int
tls_min_proto_version:
choices:
- default
- SSLv3
- TLSv1
- TLSv1-1
- TLSv1-2
- TLSv1-3
description:
- Minimum supported protocol version for TLS connections .
type: str
transport_protocol:
choices:
- udp
- tcp
- tls
description:
- Transport protocol to be used .
type: str
use_management_vdom:
choices:
- enable
- disable
description:
- Enable/disable using management VDOM to send requests.
type: str
username_case_sensitive:
choices:
- enable
- disable
description:
- Enable/disable case sensitive user names.
type: str
type: dict
access_token:
description:
- Token-based authentication. Generated from GUI of Fortigate.
required: false
type: str
member_state:
choices:
- present
- absent
description:
- Add or delete a member under specified attribute path.
- When member_state is specified, the state option is ignored.
type: str
build: description: Build number of the fortigate image returned: always sample: '1547' type: str http_method: description: Last method used to provision the content into FortiGate returned: always sample: PUT type: str http_status: description: Last result given by FortiGate on last operation applied returned: always sample: '200' type: str mkey: description: Master key (id) used in the last call to FortiGate returned: success sample: id type: str name: description: Name of the table used to fulfill the request returned: always sample: urlfilter type: str path: description: Path of the table used to fulfill the request returned: always sample: webfilter type: str revision: description: Internal revision number returned: always sample: 17.0.2.10658 type: str serial: description: Serial number of the unit returned: always sample: FGVMEVYYQT3AB5352 type: str status: description: Indication of the operation's result returned: always sample: success type: str vdom: description: Virtual domain used returned: always sample: root type: str version: description: Version of the FortiGate returned: always sample: v5.6.3 type: str