fortios_wireless_controller_vap – Configure Virtual Access Points (VAPs) in Fortinet’s FortiOS and FortiGate¶

New in version 2.8.

Synopsis
Requirements
Parameters
Notes
Examples
Return Values
Status

Synopsis ¶

This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify wireless_controller feature and vap category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.5

Requirements ¶

The below requirements are needed on the host that executes this module.

fortiosapi>=0.9.8

Parameters ¶

Parameter			Choices/Defaults	Comments
host string				FortiOS or FortiGate IP address.
https boolean			Choices: no yes ←	Indicates if the requests towards FortiGate must use HTTPS protocol.
password string			Default: ""	FortiOS or FortiGate password.
ssl_verify boolean added in 2.9			Choices: no yes ←	Ensures FortiGate certificate must be verified by a proper CA.
state string added in 2.9			Choices: present absent	Indicates whether to create or remove the object. This attribute was present already in previous version in a deeper level. It has been moved out to this outer level.
username string				FortiOS or FortiGate username.
vdom string			Default: "root"	Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
wireless_controller_vap dictionary			Default: null	Configure Virtual Access Points (VAPs).
	acct_interim_interval integer			WiFi RADIUS accounting interim interval (60 - 86400 sec).
	alias string			Alias.
	auth string		Choices: psk radius usergroup	Authentication protocol.
	broadcast_ssid string		Choices: enable disable	Enable/disable broadcasting the SSID .
	broadcast_suppression string		Choices: dhcp-up dhcp-down dhcp-starvation arp-known arp-unknown arp-reply arp-poison arp-proxy netbios-ns netbios-ds ipv6 all-other-mc all-other-bc	Optional suppression of broadcast messages. For example, you can keep DHCP messages, ARP broadcasts, and so on off of the wireless network.
	captive_portal_ac_name string			Local-bridging captive portal ac-name.
	captive_portal_macauth_radius_secret string			Secret key to access the macauth RADIUS server.
	captive_portal_macauth_radius_server string			Captive portal external RADIUS server domain name or IP address.
	captive_portal_radius_secret string			Secret key to access the RADIUS server.
	captive_portal_radius_server string			Captive portal RADIUS server domain name or IP address.
	captive_portal_session_timeout_interval integer			Session timeout interval (0 - 864000 sec).
	dhcp_lease_time integer			DHCP lease time in seconds for NAT IP address.
	dhcp_option82_circuit_id_insertion string		Choices: style-1 style-2 disable	Enable/disable DHCP option 82 circuit-id insert .
	dhcp_option82_insertion string		Choices: enable disable	Enable/disable DHCP option 82 insert .
	dhcp_option82_remote_id_insertion string		Choices: style-1 disable	Enable/disable DHCP option 82 remote-id insert .
	dynamic_vlan string		Choices: enable disable	Enable/disable dynamic VLAN assignment.
	eap_reauth string		Choices: enable disable	Enable/disable EAP re-authentication for WPA-Enterprise security.
	eap_reauth_intv integer			EAP re-authentication interval (1800 - 864000 sec).
	eapol_key_retries string		Choices: disable enable	Enable/disable retransmission of EAPOL-Key frames (message 3/4 and group message 1/2) .
	encrypt string		Choices: TKIP AES TKIP-AES	Encryption protocol to use (only available when security is set to a WPA type).
	external_fast_roaming string		Choices: enable disable	Enable/disable fast roaming or pre-authentication with external APs not managed by the FortiGate .
	external_logout string			URL of external authentication logout server.
	external_web string			URL of external authentication web server.
	fast_bss_transition string		Choices: disable enable	Enable/disable 802.11r Fast BSS Transition (FT) .
	fast_roaming string		Choices: enable disable	Enable/disable fast-roaming, or pre-authentication, where supported by clients .
	ft_mobility_domain integer			Mobility domain identifier in FT (1 - 65535).
	ft_over_ds string		Choices: disable enable	Enable/disable FT over the Distribution System (DS).
	ft_r0_key_lifetime integer			Lifetime of the PMK-R0 key in FT, 1-65535 minutes.
	gtk_rekey string		Choices: enable disable	Enable/disable GTK rekey for WPA security.
	gtk_rekey_intv integer			GTK rekey interval (1800 - 864000 sec).
	hotspot20_profile string			Hotspot 2.0 profile name.
	intra_vap_privacy string		Choices: enable disable	Enable/disable blocking communication between clients on the same SSID (called intra-SSID privacy) .
	ip string			IP address and subnet mask for the local standalone NAT subnet.
	key string			WEP Key.
	keyindex integer			WEP key index (1 - 4).
	ldpc string		Choices: disable rx tx rxtx	VAP low-density parity-check (LDPC) coding configuration.
	local_authentication string		Choices: enable disable	Enable/disable AP local authentication.
	local_bridging string		Choices: enable disable	Enable/disable bridging of wireless and Ethernet interfaces on the FortiAP .
	local_lan string		Choices: allow deny	Allow/deny traffic destined for a Class A, B, or C private IP address .
	local_standalone string		Choices: enable disable	Enable/disable AP local standalone .
	local_standalone_nat string		Choices: enable disable	Enable/disable AP local standalone NAT mode.
	mac_auth_bypass string		Choices: enable disable	Enable/disable MAC authentication bypass.
	mac_filter string		Choices: enable disable	Enable/disable MAC filtering to block wireless clients by mac address.
	mac_filter_list list			Create a list of MAC addresses for MAC address filtering.
		id integer / required		ID.
		mac string		MAC address.
		mac_filter_policy string	Choices: allow deny	Deny or allow the client with this MAC address.
	mac_filter_policy_other string		Choices: allow deny	Allow or block clients with MAC addresses that are not in the filter list.
	max_clients integer			Maximum number of clients that can connect simultaneously to the VAP .
	max_clients_ap integer			Maximum number of clients that can connect simultaneously to each radio .
	me_disable_thresh integer			Disable multicast enhancement when this many clients are receiving multicast traffic.
	mesh_backhaul string		Choices: enable disable	Enable/disable using this VAP as a WiFi mesh backhaul . This entry is only available when security is set to a WPA type or open.
	mpsk string		Choices: enable disable	Enable/disable multiple pre-shared keys (PSKs.)
	mpsk_concurrent_clients integer			Number of pre-shared keys (PSKs) to allow if multiple pre-shared keys are enabled.
	mpsk_key list			Pre-shared keys that can be used to connect to this virtual access point.
		comment string		Comment.
		concurrent_clients string		Number of clients that can connect using this pre-shared key.
		key_name string		Pre-shared key name.
		passphrase string		WPA Pre-shared key.
	multicast_enhance string		Choices: enable disable	Enable/disable converting multicast to unicast to improve performance .
	multicast_rate string		Choices: 0 6000 12000 24000	Multicast rate (0, 6000, 12000, or 24000 kbps).
	name string / required			Virtual AP name.
	okc string		Choices: disable enable	Enable/disable Opportunistic Key Caching (OKC) .
	passphrase string			WPA pre-shard key (PSK) to be used to authenticate WiFi users.
	pmf string		Choices: disable enable optional	Protected Management Frames (PMF) support .
	pmf_assoc_comeback_timeout integer			Protected Management Frames (PMF) comeback maximum timeout (1-20 sec).
	pmf_sa_query_retry_timeout integer			Protected Management Frames (PMF) SA query retry timeout interval (1 - 5 100s of msec).
	portal_message_override_group string			Replacement message group for this VAP (only available when security is set to a captive portal type).
	portal_message_overrides dictionary			Individual message overrides.
		auth_disclaimer_page string		Override auth-disclaimer-page message with message from portal-message-overrides group.
		auth_login_failed_page string		Override auth-login-failed-page message with message from portal-message-overrides group.
		auth_login_page string		Override auth-login-page message with message from portal-message-overrides group.
		auth_reject_page string		Override auth-reject-page message with message from portal-message-overrides group.
	portal_type string		Choices: auth auth+disclaimer disclaimer email-collect cmcc cmcc-macauth auth-mac	Captive portal functionality. Configure how the captive portal authenticates users and whether it includes a disclaimer.
	probe_resp_suppression string		Choices: enable disable	Enable/disable probe response suppression (to ignore weak signals) .
	probe_resp_threshold string			Minimum signal level/threshold in dBm required for the AP response to probe requests (-95 to -20).
	ptk_rekey string		Choices: enable disable	Enable/disable PTK rekey for WPA-Enterprise security.
	ptk_rekey_intv integer			PTK rekey interval (1800 - 864000 sec).
	qos_profile string			Quality of service profile name.
	quarantine string		Choices: enable disable	Enable/disable station quarantine .
	radio_2g_threshold string			Minimum signal level/threshold in dBm required for the AP response to receive a packet in 2.4G band (-95 to -20).
	radio_5g_threshold string			Minimum signal level/threshold in dBm required for the AP response to receive a packet in 5G band(-95 to -20).
	radio_sensitivity string		Choices: enable disable	Enable/disable software radio sensitivity (to ignore weak signals) .
	radius_mac_auth string		Choices: enable disable	Enable/disable RADIUS-based MAC authentication of clients .
	radius_mac_auth_server string			RADIUS-based MAC authentication server.
	radius_mac_auth_usergroups list			Selective user groups that are permitted for RADIUS mac authentication.
		name string / required		User group name.
	radius_server string			RADIUS server to be used to authenticate WiFi users.
	rates_11a string		Choices: 1 1-basic 2 2-basic 5.5 5.5-basic 11 11-basic 6 6-basic 9 9-basic 12 12-basic 18 18-basic 24 24-basic 36 36-basic 48 48-basic 54 54-basic	Allowed data rates for 802.11a.
	rates_11ac_ss12 string		Choices: mcs0/1 mcs1/1 mcs2/1 mcs3/1 mcs4/1 mcs5/1 mcs6/1 mcs7/1 mcs8/1 mcs9/1 mcs10/1 mcs11/1 mcs0/2 mcs1/2 mcs2/2 mcs3/2 mcs4/2 mcs5/2 mcs6/2 mcs7/2 mcs8/2 mcs9/2 mcs10/2 mcs11/2	Allowed data rates for 802.11ac with 1 or 2 spatial streams.
	rates_11ac_ss34 string		Choices: mcs0/3 mcs1/3 mcs2/3 mcs3/3 mcs4/3 mcs5/3 mcs6/3 mcs7/3 mcs8/3 mcs9/3 mcs10/3 mcs11/3 mcs0/4 mcs1/4 mcs2/4 mcs3/4 mcs4/4 mcs5/4 mcs6/4 mcs7/4 mcs8/4 mcs9/4 mcs10/4 mcs11/4	Allowed data rates for 802.11ac with 3 or 4 spatial streams.
	rates_11bg string		Choices: 1 1-basic 2 2-basic 5.5 5.5-basic 11 11-basic 6 6-basic 9 9-basic 12 12-basic 18 18-basic 24 24-basic 36 36-basic 48 48-basic 54 54-basic	Allowed data rates for 802.11b/g.
	rates_11n_ss12 string		Choices: mcs0/1 mcs1/1 mcs2/1 mcs3/1 mcs4/1 mcs5/1 mcs6/1 mcs7/1 mcs8/2 mcs9/2 mcs10/2 mcs11/2 mcs12/2 mcs13/2 mcs14/2 mcs15/2	Allowed data rates for 802.11n with 1 or 2 spatial streams.
	rates_11n_ss34 string		Choices: mcs16/3 mcs17/3 mcs18/3 mcs19/3 mcs20/3 mcs21/3 mcs22/3 mcs23/3 mcs24/4 mcs25/4 mcs26/4 mcs27/4 mcs28/4 mcs29/4 mcs30/4 mcs31/4	Allowed data rates for 802.11n with 3 or 4 spatial streams.
	schedule string			VAP schedule name.
	security string		Choices: open captive-portal wep64 wep128 wpa-personal wpa-personal+captive-portal wpa-enterprise wpa-only-personal wpa-only-personal+captive-portal wpa-only-enterprise wpa2-only-personal wpa2-only-personal+captive-portal wpa2-only-enterprise osen	Security mode for the wireless interface .
	security_exempt_list string			Optional security exempt list for captive portal authentication.
	security_obsolete_option string		Choices: enable disable	Enable/disable obsolete security options.
	security_redirect_url string			Optional URL for redirecting users after they pass captive portal authentication.
	selected_usergroups list			Selective user groups that are permitted to authenticate.
		name string / required		User group name.
	split_tunneling string		Choices: enable disable	Enable/disable split tunneling .
	ssid string			IEEE 802.11 service set identifier (SSID) for the wireless interface. Users who wish to use the wireless network must configure their computers to access this SSID name.
	state string		Choices: present absent	Deprecated Starting with Ansible 2.9 we recommend using the top-level 'state' parameter. Indicates whether to create or remove the object.
	tkip_counter_measure string		Choices: enable disable	Enable/disable TKIP counter measure.
	usergroup list			Firewall user group to be used to authenticate WiFi users.
		name string / required		User group name.
	utm_profile string			UTM profile name.
	vdom string			Name of the VDOM that the Virtual AP has been added to. Source system.vdom.name.
	vlan_auto string		Choices: enable disable	Enable/disable automatic management of SSID VLAN interface.
	vlan_pool list			VLAN pool.
		id integer / required		ID.
		wtp_group string		WTP group name.
	vlan_pooling string		Choices: wtp-group round-robin hash disable	Enable/disable VLAN pooling, to allow grouping of multiple wireless controller VLANs into VLAN pools . When set to wtp-group, VLAN pooling occurs with VLAN assignment by wtp-group.
	vlanid integer			Optional VLAN ID.
	voice_enterprise string		Choices: disable enable	Enable/disable 802.11k and 802.11v assisted Voice-Enterprise roaming .

Notes ¶

Note

Requires fortiosapi library developed by Fortinet
Run as a local_action in your playbook

Examples ¶

- hosts: localhost
  vars:
   host: "192.168.122.40"
   username: "admin"
   password: ""
   vdom: "root"
   ssl_verify: "False"
  tasks:
  - name: Configure Virtual Access Points (VAPs).
    fortios_wireless_controller_vap:
      host:  "{{ host }}"
      username: "{{ username }}"
      password: "{{ password }}"
      vdom:  "{{ vdom }}"
      https: "False"
      state: "present"
      wireless_controller_vap:
        acct_interim_interval: "3"
        alias: "<your_own_value>"
        auth: "psk"
        broadcast_ssid: "enable"
        broadcast_suppression: "dhcp-up"
        captive_portal_ac_name: "<your_own_value>"
        captive_portal_macauth_radius_secret: "<your_own_value>"
        captive_portal_macauth_radius_server: "<your_own_value>"
        captive_portal_radius_secret: "<your_own_value>"
        captive_portal_radius_server: "<your_own_value>"
        captive_portal_session_timeout_interval: "13"
        dhcp_lease_time: "14"
        dhcp_option82_circuit_id_insertion: "style-1"
        dhcp_option82_insertion: "enable"
        dhcp_option82_remote_id_insertion: "style-1"
        dynamic_vlan: "enable"
        eap_reauth: "enable"
        eap_reauth_intv: "20"
        eapol_key_retries: "disable"
        encrypt: "TKIP"
        external_fast_roaming: "enable"
        external_logout: "<your_own_value>"
        external_web: "<your_own_value>"
        fast_bss_transition: "disable"
        fast_roaming: "enable"
        ft_mobility_domain: "28"
        ft_over_ds: "disable"
        ft_r0_key_lifetime: "30"
        gtk_rekey: "enable"
        gtk_rekey_intv: "32"
        hotspot20_profile: "<your_own_value>"
        intra_vap_privacy: "enable"
        ip: "<your_own_value>"
        key: "<your_own_value>"
        keyindex: "37"
        ldpc: "disable"
        local_authentication: "enable"
        local_bridging: "enable"
        local_lan: "allow"
        local_standalone: "enable"
        local_standalone_nat: "enable"
        mac_auth_bypass: "enable"
        mac_filter: "enable"
        mac_filter_list:
         -
            id:  "47"
            mac: "<your_own_value>"
            mac_filter_policy: "allow"
        mac_filter_policy_other: "allow"
        max_clients: "51"
        max_clients_ap: "52"
        me_disable_thresh: "53"
        mesh_backhaul: "enable"
        mpsk: "enable"
        mpsk_concurrent_clients: "56"
        mpsk_key:
         -
            comment: "Comment."
            concurrent_clients: "<your_own_value>"
            key_name: "<your_own_value>"
            passphrase: "<your_own_value>"
        multicast_enhance: "enable"
        multicast_rate: "0"
        name: "default_name_64"
        okc: "disable"
        passphrase: "<your_own_value>"
        pmf: "disable"
        pmf_assoc_comeback_timeout: "68"
        pmf_sa_query_retry_timeout: "69"
        portal_message_override_group: "<your_own_value>"
        portal_message_overrides:
            auth_disclaimer_page: "<your_own_value>"
            auth_login_failed_page: "<your_own_value>"
            auth_login_page: "<your_own_value>"
            auth_reject_page: "<your_own_value>"
        portal_type: "auth"
        probe_resp_suppression: "enable"
        probe_resp_threshold: "<your_own_value>"
        ptk_rekey: "enable"
        ptk_rekey_intv: "80"
        qos_profile: "<your_own_value>"
        quarantine: "enable"
        radio_2g_threshold: "<your_own_value>"
        radio_5g_threshold: "<your_own_value>"
        radio_sensitivity: "enable"
        radius_mac_auth: "enable"
        radius_mac_auth_server: "<your_own_value>"
        radius_mac_auth_usergroups:
         -
            name: "default_name_89"
        radius_server: "<your_own_value>"
        rates_11a: "1"
        rates_11ac_ss12: "mcs0/1"
        rates_11ac_ss34: "mcs0/3"
        rates_11bg: "1"
        rates_11n_ss12: "mcs0/1"
        rates_11n_ss34: "mcs16/3"
        schedule: "<your_own_value>"
        security: "open"
        security_exempt_list: "<your_own_value>"
        security_obsolete_option: "enable"
        security_redirect_url: "<your_own_value>"
        selected_usergroups:
         -
            name: "default_name_103"
        split_tunneling: "enable"
        ssid: "<your_own_value>"
        tkip_counter_measure: "enable"
        usergroup:
         -
            name: "default_name_108"
        utm_profile: "<your_own_value>"
        vdom: "<your_own_value> (source system.vdom.name)"
        vlan_auto: "enable"
        vlan_pool:
         -
            id:  "113"
            wtp_group: "<your_own_value>"
        vlan_pooling: "wtp-group"
        vlanid: "116"
        voice_enterprise: "disable"

Return Values ¶

Common return values are documented here, the following are the fields unique to this module:

Key	Returned	Description
build string	always	Build number of the fortigate image Sample: 1547
http_method string	always	Last method used to provision the content into FortiGate Sample: PUT
http_status string	always	Last result given by FortiGate on last operation applied Sample: 200
mkey string	success	Master key (id) used in the last call to FortiGate Sample: id
name string	always	Name of the table used to fulfill the request Sample: urlfilter
path string	always	Path of the table used to fulfill the request Sample: webfilter
revision string	always	Internal revision number Sample: 17.0.2.10658
serial string	always	Serial number of the unit Sample: FGVMEVYYQT3AB5352
status string	always	Indication of the operation's result Sample: success
vdom string	always	Virtual domain used Sample: root
version string	always	Version of the FortiGate Sample: v5.6.3

Status ¶

This module is not guaranteed to have a backwards compatible interface. [preview]
This module is maintained by the Ansible Community. [community]

Authors¶

Miguel Angel Munoz (@mamunozgonzalez)
Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation, you can edit this document to improve it.

fortios_wireless_controller_vap – Configure Virtual Access Points (VAPs) in Fortinet’s FortiOS and FortiGate¶

Synopsis¶

Requirements¶

Parameters¶

Notes¶

Examples¶

Return Values¶

Status¶