fortios_user_radius – Configure RADIUS server entries in Fortinet’s FortiOS and FortiGate

From Get docs
Ansible/docs/2.8/modules/fortios user radius module


fortios_user_radius – Configure RADIUS server entries in Fortinet’s FortiOS and FortiGate

New in version 2.8.


Synopsis

  • This module is able to configure a FortiGate or FortiOS by allowing the user to set and modify user feature and radius category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.2

Requirements

The below requirements are needed on the host that executes this module.

  • fortiosapi>=0.9.8

Parameters

Parameter Choices/Defaults Comments

host

- / required

FortiOS or FortiGate ip address.

https

boolean

  • no
  • yes

Indicates if the requests towards FortiGate must use HTTPS protocol

password

-

Default:

""

FortiOS or FortiGate password.

user_radius

-

Default:

null

Configure RADIUS server entries.

accounting-server

-

Additional accounting servers.

id

- / required

ID (0 - 4294967295).

port

-

RADIUS accounting port number.

secret

-

Secret key.

server

-

Server CN domain name or IP.

source-ip

-

Source IP address for communications to the RADIUS server.

status

-

  • enable
  • disable

Status.

acct-all-servers

-

  • enable
  • disable

Enable/disable sending of accounting messages to all configured servers (default = disable).

acct-interim-interval

-

Time in seconds between each accounting interim update message.

all-usergroup

-

  • disable
  • enable

Enable/disable automatically including this RADIUS server in all user groups.

auth-type

-

  • auto
  • ms_chap_v2
  • ms_chap
  • chap
  • pap

Authentication methods/protocols permitted for this RADIUS server.

class

-

Class attribute name(s).

name

- / required

Class name.

h3c-compatibility

-

  • enable
  • disable

Enable/disable compatibility with the H3C, a mechanism that performs security checking for authentication.

name

- / required

RADIUS server entry name.

nas-ip

-

IP address used to communicate with the RADIUS server and used as NAS-IP-Address and Called-Station-ID attributes.

password-encoding

-

  • auto
  • ISO-8859-1

Password encoding.

password-renewal

-

  • enable
  • disable

Enable/disable password renewal.

radius-coa

-

  • enable
  • disable

Enable to allow a mechanism to change the attributes of an authentication, authorization, and accounting session after it is authenticated.

radius-port

-

RADIUS service port number.

rsso

-

  • enable
  • disable

Enable/disable RADIUS based single sign on feature.

rsso-context-timeout

-

Time in seconds before the logged out user is removed from the "user context list" of logged on users.

rsso-endpoint-attribute

-

  • User-Name
  • NAS-IP-Address
  • Framed-IP-Address
  • Framed-IP-Netmask
  • Filter-Id
  • Login-IP-Host
  • Reply-Message
  • Callback-Number
  • Callback-Id
  • Framed-Route
  • Framed-IPX-Network
  • Class
  • Called-Station-Id
  • Calling-Station-Id
  • NAS-Identifier
  • Proxy-State
  • Login-LAT-Service
  • Login-LAT-Node
  • Login-LAT-Group
  • Framed-AppleTalk-Zone
  • Acct-Session-Id
  • Acct-Multi-Session-Id

RADIUS attributes used to extract the user end point identifier from the RADIUS Start record.

rsso-endpoint-block-attribute

-

  • User-Name
  • NAS-IP-Address
  • Framed-IP-Address
  • Framed-IP-Netmask
  • Filter-Id
  • Login-IP-Host
  • Reply-Message
  • Callback-Number
  • Callback-Id
  • Framed-Route
  • Framed-IPX-Network
  • Class
  • Called-Station-Id
  • Calling-Station-Id
  • NAS-Identifier
  • Proxy-State
  • Login-LAT-Service
  • Login-LAT-Node
  • Login-LAT-Group
  • Framed-AppleTalk-Zone
  • Acct-Session-Id
  • Acct-Multi-Session-Id

RADIUS attributes used to block a user.

rsso-ep-one-ip-only

-

  • enable
  • disable

Enable/disable the replacement of old IP addresses with new ones for the same endpoint on RADIUS accounting Start messages.

rsso-flush-ip-session

-

  • enable
  • disable

Enable/disable flushing user IP sessions on RADIUS accounting Stop messages.

rsso-log-flags

-

  • protocol-error
  • profile-missing
  • accounting-stop-missed
  • accounting-event
  • endpoint-block
  • radiusd-other
  • none

Events to log.

rsso-log-period

-

Time interval in seconds that group event log messages will be generated for dynamic profile events.

rsso-radius-response

-

  • enable
  • disable

Enable/disable sending RADIUS response packets after receiving Start and Stop records.

rsso-radius-server-port

-

UDP port to listen on for RADIUS Start and Stop records.

rsso-secret

-

RADIUS secret used by the RADIUS accounting server.

rsso-validate-request-secret

-

  • enable
  • disable

Enable/disable validating the RADIUS request shared secret in the Start or End record.

secondary-secret

-

Secret key to access the secondary server.

secondary-server

-

Secondary RADIUS CN domain name or IP.

secret

-

Pre-shared secret key used to access the primary RADIUS server.

server

-

Primary RADIUS server CN domain name or IP address.

source-ip

-

Source IP address for communications to the RADIUS server.

sso-attribute

-

  • User-Name
  • NAS-IP-Address
  • Framed-IP-Address
  • Framed-IP-Netmask
  • Filter-Id
  • Login-IP-Host
  • Reply-Message
  • Callback-Number
  • Callback-Id
  • Framed-Route
  • Framed-IPX-Network
  • Class
  • Called-Station-Id
  • Calling-Station-Id
  • NAS-Identifier
  • Proxy-State
  • Login-LAT-Service
  • Login-LAT-Node
  • Login-LAT-Group
  • Framed-AppleTalk-Zone
  • Acct-Session-Id
  • Acct-Multi-Session-Id

RADIUS attribute that contains the profile group name to be extracted from the RADIUS Start record.

sso-attribute-key

-

Key prefix for SSO group value in the SSO attribute.

sso-attribute-value-override

-

  • enable
  • disable

Enable/disable override old attribute value with new value for the same endpoint.

state

-

  • present
  • absent

Indicates whether to create or remove the object

tertiary-secret

-

Secret key to access the tertiary server.

tertiary-server

-

Tertiary RADIUS CN domain name or IP.

timeout

-

Time in seconds between re-sending authentication requests.

use-management-vdom

-

  • enable
  • disable

Enable/disable using management VDOM to send requests.

username-case-sensitive

-

  • enable
  • disable

Enable/disable case sensitive user names.

username

- / required

FortiOS or FortiGate username.

vdom

-

Default:

"root"

Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit.



Notes

Note

  • Requires fortiosapi library developed by Fortinet
  • Run as a local_action in your playbook


Examples

- hosts: localhost
  vars:
   host: "192.168.122.40"
   username: "admin"
   password: ""
   vdom: "root"
  tasks:
  - name: Configure RADIUS server entries.
    fortios_user_radius:
      host:  "{{ host }}"
      username: "{{ username }}"
      password: "{{ password }}"
      vdom:  "{{ vdom }}"
      https: "False"
      user_radius:
        state: "present"
        accounting-server:
         -
            id:  "4"
            port: "5"
            secret: "<your_own_value>"
            server: "192.168.100.40"
            source-ip: "84.230.14.43"
            status: "enable"
        acct-all-servers: "enable"
        acct-interim-interval: "11"
        all-usergroup: "disable"
        auth-type: "auto"
        class:
         -
            name: "default_name_15"
        h3c-compatibility: "enable"
        name: "default_name_17"
        nas-ip: "<your_own_value>"
        password-encoding: "auto"
        password-renewal: "enable"
        radius-coa: "enable"
        radius-port: "22"
        rsso: "enable"
        rsso-context-timeout: "24"
        rsso-endpoint-attribute: "User-Name"
        rsso-endpoint-block-attribute: "User-Name"
        rsso-ep-one-ip-only: "enable"
        rsso-flush-ip-session: "enable"
        rsso-log-flags: "protocol-error"
        rsso-log-period: "30"
        rsso-radius-response: "enable"
        rsso-radius-server-port: "32"
        rsso-secret: "<your_own_value>"
        rsso-validate-request-secret: "enable"
        secondary-secret: "<your_own_value>"
        secondary-server: "<your_own_value>"
        secret: "<your_own_value>"
        server: "192.168.100.40"
        source-ip: "84.230.14.43"
        sso-attribute: "User-Name"
        sso-attribute-key: "<your_own_value>"
        sso-attribute-value-override: "enable"
        tertiary-secret: "<your_own_value>"
        tertiary-server: "<your_own_value>"
        timeout: "45"
        use-management-vdom: "enable"
        username-case-sensitive: "enable"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description

build

string

always

Build number of the fortigate image


Sample:

1547

http_method

string

always

Last method used to provision the content into FortiGate


Sample:

PUT

http_status

string

always

Last result given by FortiGate on last operation applied


Sample:

200

mkey

string

success

Master key (id) used in the last call to FortiGate


Sample:

id

name

string

always

Name of the table used to fulfill the request


Sample:

urlfilter

path

string

always

Path of the table used to fulfill the request


Sample:

webfilter

revision

string

always

Internal revision number


Sample:

17.0.2.10658

serial

string

always

Serial number of the unit


Sample:

FGVMEVYYQT3AB5352

status

string

always

Indication of the operation's result


Sample:

success

vdom

string

always

Virtual domain used


Sample:

root

version

string

always

Version of the FortiGate


Sample:

v5.6.3




Status

Authors

  • Miguel Angel Munoz (@mamunozgonzalez)
  • Nicolas Thomas (@thomnico)

Hint

If you notice any issues in this documentation you can edit this document to improve it.


© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.8/modules/fortios_user_radius_module.html