Parameter |
Choices/Defaults |
Comments |
host
string
|
|
FortiOS or FortiGate IP address.
|
https
boolean
|
|
Indicates if the requests towards FortiGate must use HTTPS protocol.
|
password
string
|
Default:
""
|
FortiOS or FortiGate password.
|
ssl_verify
boolean
added in 2.9 |
|
Ensures FortiGate certificate must be verified by a proper CA.
|
state
string
added in 2.9 |
|
Indicates whether to create or remove the object. This attribute was present already in previous version in a deeper level. It has been moved out to this outer level.
|
user_radius
dictionary
|
|
Configure RADIUS server entries.
|
|
accounting_server
list
|
|
Additional accounting servers.
|
|
|
id
integer
/ required
|
|
ID (0 - 4294967295).
|
|
|
port
integer
|
|
RADIUS accounting port number.
|
|
|
secret
string
|
|
Secret key.
|
|
|
server
string
|
|
name_str or ip_str Server CN domain name or IP.
|
|
|
source_ip
string
|
|
Source IP address for communications to the RADIUS server.
|
|
|
status
string
|
|
Status.
|
|
acct_all_servers
string
|
|
Enable/disable sending of accounting messages to all configured servers.
|
|
acct_interim_interval
integer
|
|
Time in seconds between each accounting interim update message.
|
|
all_usergroup
string
|
|
Enable/disable automatically including this RADIUS server in all user groups.
|
|
auth_type
string
|
Choices:
- auto
- ms_chap_v2
- ms_chap
- chap
- pap
|
Authentication methods/protocols permitted for this RADIUS server.
|
|
class
list
|
|
Class attribute name(s).
|
|
|
name
string
/ required
|
|
Class name.
|
|
h3c_compatibility
string
|
|
Enable/disable compatibility with the H3C, a mechanism that performs security checking for authentication.
|
|
name
string
/ required
|
|
RADIUS server entry name.
|
|
nas_ip
string
|
|
IP address used to communicate with the RADIUS server and used as NAS-IP-Address and Called-Station-ID attributes.
|
|
password_encoding
string
|
|
Password encoding.
|
|
password_renewal
string
|
|
Enable/disable password renewal.
|
|
radius_coa
string
|
|
Enable to allow a mechanism to change the attributes of an authentication, authorization, and accounting session after it is authenticated.
|
|
radius_port
integer
|
|
RADIUS service port number.
|
|
rsso
string
|
|
Enable/disable RADIUS based single sign on feature.
|
|
rsso_context_timeout
integer
|
|
Time in seconds before the logged out user is removed from the "user context list" of logged on users.
|
|
rsso_endpoint_attribute
string
|
Choices:
- User-Name
- NAS-IP-Address
- Framed-IP-Address
- Framed-IP-Netmask
- Filter-Id
- Login-IP-Host
- Reply-Message
- Callback-Number
- Callback-Id
- Framed-Route
- Framed-IPX-Network
- Class
- Called-Station-Id
- Calling-Station-Id
- NAS-Identifier
- Proxy-State
- Login-LAT-Service
- Login-LAT-Node
- Login-LAT-Group
- Framed-AppleTalk-Zone
- Acct-Session-Id
- Acct-Multi-Session-Id
|
RADIUS attributes used to extract the user end point identifier from the RADIUS Start record.
|
|
rsso_endpoint_block_attribute
string
|
Choices:
- User-Name
- NAS-IP-Address
- Framed-IP-Address
- Framed-IP-Netmask
- Filter-Id
- Login-IP-Host
- Reply-Message
- Callback-Number
- Callback-Id
- Framed-Route
- Framed-IPX-Network
- Class
- Called-Station-Id
- Calling-Station-Id
- NAS-Identifier
- Proxy-State
- Login-LAT-Service
- Login-LAT-Node
- Login-LAT-Group
- Framed-AppleTalk-Zone
- Acct-Session-Id
- Acct-Multi-Session-Id
|
RADIUS attributes used to block a user.
|
|
rsso_ep_one_ip_only
string
|
|
Enable/disable the replacement of old IP addresses with new ones for the same endpoint on RADIUS accounting Start messages.
|
|
rsso_flush_ip_session
string
|
|
Enable/disable flushing user IP sessions on RADIUS accounting Stop messages.
|
|
rsso_log_flags
string
|
Choices:
- protocol-error
- profile-missing
- accounting-stop-missed
- accounting-event
- endpoint-block
- radiusd-other
- none
|
Events to log.
|
|
rsso_log_period
integer
|
|
Time interval in seconds that group event log messages will be generated for dynamic profile events.
|
|
rsso_radius_response
string
|
|
Enable/disable sending RADIUS response packets after receiving Start and Stop records.
|
|
rsso_radius_server_port
integer
|
|
UDP port to listen on for RADIUS Start and Stop records.
|
|
rsso_secret
string
|
|
RADIUS secret used by the RADIUS accounting server.
|
|
rsso_validate_request_secret
string
|
|
Enable/disable validating the RADIUS request shared secret in the Start or End record.
|
|
secondary_secret
string
|
|
Secret key to access the secondary server.
|
|
secondary_server
string
|
|
name_str or ip_str secondary RADIUS CN domain name or IP.
|
|
secret
string
|
|
Pre-shared secret key used to access the primary RADIUS server.
|
|
server
string
|
|
Primary RADIUS server CN domain name or IP address.
|
|
source_ip
string
|
|
Source IP address for communications to the RADIUS server.
|
|
sso_attribute
string
|
Choices:
- User-Name
- NAS-IP-Address
- Framed-IP-Address
- Framed-IP-Netmask
- Filter-Id
- Login-IP-Host
- Reply-Message
- Callback-Number
- Callback-Id
- Framed-Route
- Framed-IPX-Network
- Class
- Called-Station-Id
- Calling-Station-Id
- NAS-Identifier
- Proxy-State
- Login-LAT-Service
- Login-LAT-Node
- Login-LAT-Group
- Framed-AppleTalk-Zone
- Acct-Session-Id
- Acct-Multi-Session-Id
|
RADIUS attribute that contains the profile group name to be extracted from the RADIUS Start record.
|
|
sso_attribute_key
string
|
|
Key prefix for SSO group value in the SSO attribute.
|
|
sso_attribute_value_override
string
|
|
Enable/disable override old attribute value with new value for the same endpoint.
|
|
state
string
|
|
Deprecated
Starting with Ansible 2.9 we recommend using the top-level 'state' parameter.
Indicates whether to create or remove the object.
|
|
tertiary_secret
string
|
|
Secret key to access the tertiary server.
|
|
tertiary_server
string
|
|
name_str or ip_str tertiary RADIUS CN domain name or IP.
|
|
timeout
integer
|
|
Time in seconds between re-sending authentication requests.
|
|
use_management_vdom
string
|
|
Enable/disable using management VDOM to send requests.
|
|
username_case_sensitive
string
|
|
Enable/disable case sensitive user names.
|
username
string
|
|
FortiOS or FortiGate username.
|
vdom
string
|
Default:
"root"
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.
|