| Parameter | Choices/Defaults | Comments | 
                
                                                            | host 
                    string
                                                                 |  | FortiOS or FortiGate IP address. | 
                            
                                                            | https 
                    boolean
                                                                 |  | Indicates if the requests towards FortiGate must use HTTPS protocol. | 
                            
                                                            | password 
                    string
                                                                 | Default: 
 "" | FortiOS or FortiGate password. | 
                            
                                                            | ssl_verify 
                    boolean
                                                                 added in 2.9 |  | Ensures FortiGate certificate must be verified by a proper CA. | 
                            
                                                            | state 
                    string
                                                                 added in 2.9 |  | Indicates whether to create or remove the object. This attribute was present already in previous version in a deeper level. It has been moved out to this outer level. | 
                            
                                                            | username 
                    string
                                                                 |  | FortiOS or FortiGate username. | 
                            
                                                            | vdom 
                    string
                                                                 | Default: 
 "root" | Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. | 
                            
                                                            | wireless_controller_vap 
                    dictionary
                                                                 | Default: 
 null | Configure Virtual Access Points (VAPs). | 
                                                        
                                                |  | acct_interim_interval 
                    integer
                                                                 |  | WiFi RADIUS accounting interim interval (60 - 86400 sec). | 
                            
                                                |  | alias 
                    string
                                                                 |  | Alias. | 
                            
                                                |  | auth 
                    string
                                                                 | Choices:
                                                                                                                                                            pskradiususergroup | Authentication protocol. | 
                            
                                                |  | broadcast_ssid 
                    string
                                                                 |  | Enable/disable broadcasting the SSID . | 
                            
                                                |  | broadcast_suppression 
                    string
                                                                 | Choices:
                                                                                                                                                            dhcp-updhcp-downdhcp-starvationarp-knownarp-unknownarp-replyarp-poisonarp-proxynetbios-nsnetbios-dsipv6all-other-mcall-other-bc | Optional suppression of broadcast messages. For example, you can keep DHCP messages, ARP broadcasts, and so on off of the wireless network. | 
                            
                                                |  | captive_portal_ac_name 
                    string
                                                                 |  | Local-bridging captive portal ac-name. | 
                            
                                                |  | captive_portal_macauth_radius_secret 
                    string
                                                                 |  | Secret key to access the macauth RADIUS server. | 
                            
                                                |  | captive_portal_macauth_radius_server 
                    string
                                                                 |  | Captive portal external RADIUS server domain name or IP address. | 
                            
                                                |  | captive_portal_radius_secret 
                    string
                                                                 |  | Secret key to access the RADIUS server. | 
                            
                                                |  | captive_portal_radius_server 
                    string
                                                                 |  | Captive portal RADIUS server domain name or IP address. | 
                            
                                                |  | captive_portal_session_timeout_interval 
                    integer
                                                                 |  | Session timeout interval (0 - 864000 sec). | 
                            
                                                |  | dhcp_lease_time 
                    integer
                                                                 |  | DHCP lease time in seconds for NAT IP address. | 
                            
                                                |  | dhcp_option82_circuit_id_insertion 
                    string
                                                                 | Choices:
                                                                                                                                                            style-1style-2disable | Enable/disable DHCP option 82 circuit-id insert . | 
                            
                                                |  | dhcp_option82_insertion 
                    string
                                                                 |  | Enable/disable DHCP option 82 insert . | 
                            
                                                |  | dhcp_option82_remote_id_insertion 
                    string
                                                                 |  | Enable/disable DHCP option 82 remote-id insert . | 
                            
                                                |  | dynamic_vlan 
                    string
                                                                 |  | Enable/disable dynamic VLAN assignment. | 
                            
                                                |  | eap_reauth 
                    string
                                                                 |  | Enable/disable EAP re-authentication for WPA-Enterprise security. | 
                            
                                                |  | eap_reauth_intv 
                    integer
                                                                 |  | EAP re-authentication interval (1800 - 864000 sec). | 
                            
                                                |  | eapol_key_retries 
                    string
                                                                 |  | Enable/disable retransmission of EAPOL-Key frames (message 3/4 and group message 1/2) . | 
                            
                                                |  | encrypt 
                    string
                                                                 | Choices:
                                                                                                                                                            TKIPAESTKIP-AES | Encryption protocol to use (only available when security is set to a WPA type). | 
                            
                                                |  | external_fast_roaming 
                    string
                                                                 |  | Enable/disable fast roaming or pre-authentication with external APs not managed by the FortiGate . | 
                            
                                                |  | external_logout 
                    string
                                                                 |  | URL of external authentication logout server. | 
                            
                                                |  | external_web 
                    string
                                                                 |  | URL of external authentication web server. | 
                            
                                                |  | fast_bss_transition 
                    string
                                                                 |  | Enable/disable 802.11r Fast BSS Transition (FT) . | 
                            
                                                |  | fast_roaming 
                    string
                                                                 |  | Enable/disable fast-roaming, or pre-authentication, where supported by clients . | 
                            
                                                |  | ft_mobility_domain 
                    integer
                                                                 |  | Mobility domain identifier in FT (1 - 65535). | 
                            
                                                |  | ft_over_ds 
                    string
                                                                 |  | Enable/disable FT over the Distribution System (DS). | 
                            
                                                |  | ft_r0_key_lifetime 
                    integer
                                                                 |  | Lifetime of the PMK-R0 key in FT, 1-65535 minutes. | 
                            
                                                |  | gtk_rekey 
                    string
                                                                 |  | Enable/disable GTK rekey for WPA security. | 
                            
                                                |  | gtk_rekey_intv 
                    integer
                                                                 |  | GTK rekey interval (1800 - 864000 sec). | 
                            
                                                |  | hotspot20_profile 
                    string
                                                                 |  | Hotspot 2.0 profile name. | 
                            
                                                |  | intra_vap_privacy 
                    string
                                                                 |  | Enable/disable blocking communication between clients on the same SSID (called intra-SSID privacy) . | 
                            
                                                |  | ip 
                    string
                                                                 |  | IP address and subnet mask for the local standalone NAT subnet. | 
                            
                                                |  | key 
                    string
                                                                 |  | WEP Key. | 
                            
                                                |  | keyindex 
                    integer
                                                                 |  | WEP key index (1 - 4). | 
                            
                                                |  | ldpc 
                    string
                                                                 | Choices:
                                                                                                                                                            disablerxtxrxtx | VAP low-density parity-check (LDPC) coding configuration. | 
                            
                                                |  | local_authentication 
                    string
                                                                 |  | Enable/disable AP local authentication. | 
                            
                                                |  | local_bridging 
                    string
                                                                 |  | Enable/disable bridging of wireless and Ethernet interfaces on the FortiAP . | 
                            
                                                |  | local_lan 
                    string
                                                                 |  | Allow/deny traffic destined for a Class A, B, or C private IP address . | 
                            
                                                |  | local_standalone 
                    string
                                                                 |  | Enable/disable AP local standalone . | 
                            
                                                |  | local_standalone_nat 
                    string
                                                                 |  | Enable/disable AP local standalone NAT mode. | 
                            
                                                |  | mac_auth_bypass 
                    string
                                                                 |  | Enable/disable MAC authentication bypass. | 
                            
                                                |  | mac_filter 
                    string
                                                                 |  | Enable/disable MAC filtering to block wireless clients by mac address. | 
                            
                                                |  | mac_filter_list 
                    list
                                                                 |  | Create a list of MAC addresses for MAC address filtering. | 
                                                        
                                                |  |  | id 
                    integer
                                             / required                     |  | ID. | 
                            
                                                |  |  | mac 
                    string
                                                                 |  | MAC address. | 
                            
                                                |  |  | mac_filter_policy 
                    string
                                                                 |  | Deny or allow the client with this MAC address. | 
                                            
                                                |  | mac_filter_policy_other 
                    string
                                                                 |  | Allow or block clients with MAC addresses that are not in the filter list. | 
                            
                                                |  | max_clients 
                    integer
                                                                 |  | Maximum number of clients that can connect simultaneously to the VAP . | 
                            
                                                |  | max_clients_ap 
                    integer
                                                                 |  | Maximum number of clients that can connect simultaneously to each radio . | 
                            
                                                |  | me_disable_thresh 
                    integer
                                                                 |  | Disable multicast enhancement when this many clients are receiving multicast traffic. | 
                            
                                                |  | mesh_backhaul 
                    string
                                                                 |  | Enable/disable using this VAP as a WiFi mesh backhaul . This entry is only available when security is set to a WPA type or open. | 
                            
                                                |  | mpsk 
                    string
                                                                 |  | Enable/disable multiple pre-shared keys (PSKs.) | 
                            
                                                |  | mpsk_concurrent_clients 
                    integer
                                                                 |  | Number of pre-shared keys (PSKs) to allow if multiple pre-shared keys are enabled. | 
                            
                                                |  | mpsk_key 
                    list
                                                                 |  | Pre-shared keys that can be used to connect to this virtual access point. | 
                                                        
                                                |  |  | comment 
                    string
                                                                 |  | Comment. | 
                            
                                                |  |  | concurrent_clients 
                    string
                                                                 |  | Number of clients that can connect using this pre-shared key. | 
                            
                                                |  |  | key_name 
                    string
                                                                 |  | Pre-shared key name. | 
                            
                                                |  |  | passphrase 
                    string
                                                                 |  | WPA Pre-shared key. | 
                                            
                                                |  | multicast_enhance 
                    string
                                                                 |  | Enable/disable converting multicast to unicast to improve performance . | 
                            
                                                |  | multicast_rate 
                    string
                                                                 | Choices:
                                                                                                                                                            060001200024000 | Multicast rate (0, 6000, 12000, or 24000 kbps). | 
                            
                                                |  | name 
                    string
                                             / required                     |  | Virtual AP name. | 
                            
                                                |  | okc 
                    string
                                                                 |  | Enable/disable Opportunistic Key Caching (OKC) . | 
                            
                                                |  | passphrase 
                    string
                                                                 |  | WPA pre-shard key (PSK) to be used to authenticate WiFi users. | 
                            
                                                |  | pmf 
                    string
                                                                 | Choices:
                                                                                                                                                            disableenableoptional | Protected Management Frames (PMF) support . | 
                            
                                                |  | pmf_assoc_comeback_timeout 
                    integer
                                                                 |  | Protected Management Frames (PMF) comeback maximum timeout (1-20 sec). | 
                            
                                                |  | pmf_sa_query_retry_timeout 
                    integer
                                                                 |  | Protected Management Frames (PMF) SA query retry timeout interval (1 - 5 100s of msec). | 
                            
                                                |  | portal_message_override_group 
                    string
                                                                 |  | Replacement message group for this VAP (only available when security is set to a captive portal type). | 
                            
                                                |  | portal_message_overrides 
                    dictionary
                                                                 |  | Individual message overrides. | 
                                                        
                                                |  |  | auth_disclaimer_page 
                    string
                                                                 |  | Override auth-disclaimer-page message with message from portal-message-overrides group. | 
                            
                                                |  |  | auth_login_failed_page 
                    string
                                                                 |  | Override auth-login-failed-page message with message from portal-message-overrides group. | 
                            
                                                |  |  | auth_login_page 
                    string
                                                                 |  | Override auth-login-page message with message from portal-message-overrides group. | 
                            
                                                |  |  | auth_reject_page 
                    string
                                                                 |  | Override auth-reject-page message with message from portal-message-overrides group. | 
                                            
                                                |  | portal_type 
                    string
                                                                 | Choices:
                                                                                                                                                            authauth+disclaimerdisclaimeremail-collectcmcccmcc-macauthauth-mac | Captive portal functionality. Configure how the captive portal authenticates users and whether it includes a disclaimer. | 
                            
                                                |  | probe_resp_suppression 
                    string
                                                                 |  | Enable/disable probe response suppression (to ignore weak signals) . | 
                            
                                                |  | probe_resp_threshold 
                    string
                                                                 |  | Minimum signal level/threshold in dBm required for the AP response to probe requests (-95 to -20). | 
                            
                                                |  | ptk_rekey 
                    string
                                                                 |  | Enable/disable PTK rekey for WPA-Enterprise security. | 
                            
                                                |  | ptk_rekey_intv 
                    integer
                                                                 |  | PTK rekey interval (1800 - 864000 sec). | 
                            
                                                |  | qos_profile 
                    string
                                                                 |  | Quality of service profile name. | 
                            
                                                |  | quarantine 
                    string
                                                                 |  | Enable/disable station quarantine . | 
                            
                                                |  | radio_2g_threshold 
                    string
                                                                 |  | Minimum signal level/threshold in dBm required for the AP response to receive a packet in 2.4G band (-95 to -20). | 
                            
                                                |  | radio_5g_threshold 
                    string
                                                                 |  | Minimum signal level/threshold in dBm required for the AP response to receive a packet in 5G band(-95 to -20). | 
                            
                                                |  | radio_sensitivity 
                    string
                                                                 |  | Enable/disable software radio sensitivity (to ignore weak signals) . | 
                            
                                                |  | radius_mac_auth 
                    string
                                                                 |  | Enable/disable RADIUS-based MAC authentication of clients . | 
                            
                                                |  | radius_mac_auth_server 
                    string
                                                                 |  | RADIUS-based MAC authentication server. | 
                            
                                                |  | radius_mac_auth_usergroups 
                    list
                                                                 |  | Selective user groups that are permitted for RADIUS mac authentication. | 
                                                        
                                                |  |  | name 
                    string
                                             / required                     |  | User group name. | 
                                            
                                                |  | radius_server 
                    string
                                                                 |  | RADIUS server to be used to authenticate WiFi users. | 
                            
                                                |  | rates_11a 
                    string
                                                                 | Choices:
                                                                                                                                                            11-basic22-basic5.55.5-basic1111-basic66-basic99-basic1212-basic1818-basic2424-basic3636-basic4848-basic5454-basic | Allowed data rates for 802.11a. | 
                            
                                                |  | rates_11ac_ss12 
                    string
                                                                 | Choices:
                                                                                                                                                            mcs0/1mcs1/1mcs2/1mcs3/1mcs4/1mcs5/1mcs6/1mcs7/1mcs8/1mcs9/1mcs10/1mcs11/1mcs0/2mcs1/2mcs2/2mcs3/2mcs4/2mcs5/2mcs6/2mcs7/2mcs8/2mcs9/2mcs10/2mcs11/2 | Allowed data rates for 802.11ac with 1 or 2 spatial streams. | 
                            
                                                |  | rates_11ac_ss34 
                    string
                                                                 | Choices:
                                                                                                                                                            mcs0/3mcs1/3mcs2/3mcs3/3mcs4/3mcs5/3mcs6/3mcs7/3mcs8/3mcs9/3mcs10/3mcs11/3mcs0/4mcs1/4mcs2/4mcs3/4mcs4/4mcs5/4mcs6/4mcs7/4mcs8/4mcs9/4mcs10/4mcs11/4 | Allowed data rates for 802.11ac with 3 or 4 spatial streams. | 
                            
                                                |  | rates_11bg 
                    string
                                                                 | Choices:
                                                                                                                                                            11-basic22-basic5.55.5-basic1111-basic66-basic99-basic1212-basic1818-basic2424-basic3636-basic4848-basic5454-basic | Allowed data rates for 802.11b/g. | 
                            
                                                |  | rates_11n_ss12 
                    string
                                                                 | Choices:
                                                                                                                                                            mcs0/1mcs1/1mcs2/1mcs3/1mcs4/1mcs5/1mcs6/1mcs7/1mcs8/2mcs9/2mcs10/2mcs11/2mcs12/2mcs13/2mcs14/2mcs15/2 | Allowed data rates for 802.11n with 1 or 2 spatial streams. | 
                            
                                                |  | rates_11n_ss34 
                    string
                                                                 | Choices:
                                                                                                                                                            mcs16/3mcs17/3mcs18/3mcs19/3mcs20/3mcs21/3mcs22/3mcs23/3mcs24/4mcs25/4mcs26/4mcs27/4mcs28/4mcs29/4mcs30/4mcs31/4 | Allowed data rates for 802.11n with 3 or 4 spatial streams. | 
                            
                                                |  | schedule 
                    string
                                                                 |  | VAP schedule name. | 
                            
                                                |  | security 
                    string
                                                                 | Choices:
                                                                                                                                                            opencaptive-portalwep64wep128wpa-personalwpa-personal+captive-portalwpa-enterprisewpa-only-personalwpa-only-personal+captive-portalwpa-only-enterprisewpa2-only-personalwpa2-only-personal+captive-portalwpa2-only-enterpriseosen | Security mode for the wireless interface . | 
                            
                                                |  | security_exempt_list 
                    string
                                                                 |  | Optional security exempt list for captive portal authentication. | 
                            
                                                |  | security_obsolete_option 
                    string
                                                                 |  | Enable/disable obsolete security options. | 
                            
                                                |  | security_redirect_url 
                    string
                                                                 |  | Optional URL for redirecting users after they pass captive portal authentication. | 
                            
                                                |  | selected_usergroups 
                    list
                                                                 |  | Selective user groups that are permitted to authenticate. | 
                                                        
                                                |  |  | name 
                    string
                                             / required                     |  | User group name. | 
                                            
                                                |  | split_tunneling 
                    string
                                                                 |  | Enable/disable split tunneling . | 
                            
                                                |  | ssid 
                    string
                                                                 |  | IEEE 802.11 service set identifier (SSID) for the wireless interface. Users who wish to use the wireless network must configure their computers to access this SSID name. | 
                            
                                                |  | state 
                    string
                                                                 |  | Deprecated Starting with Ansible 2.9 we recommend using the top-level 'state' parameter. 
 Indicates whether to create or remove the object. | 
                            
                                                |  | tkip_counter_measure 
                    string
                                                                 |  | Enable/disable TKIP counter measure. | 
                            
                                                |  | usergroup 
                    list
                                                                 |  | Firewall user group to be used to authenticate WiFi users. | 
                                                        
                                                |  |  | name 
                    string
                                             / required                     |  | User group name. | 
                                            
                                                |  | utm_profile 
                    string
                                                                 |  | UTM profile name. | 
                            
                                                |  | vdom 
                    string
                                                                 |  | Name of the VDOM that the Virtual AP has been added to. Source system.vdom.name. | 
                            
                                                |  | vlan_auto 
                    string
                                                                 |  | Enable/disable automatic management of SSID VLAN interface. | 
                            
                                                |  | vlan_pool 
                    list
                                                                 |  | VLAN pool. | 
                                                        
                                                |  |  | id 
                    integer
                                             / required                     |  | ID. | 
                            
                                                |  |  | wtp_group 
                    string
                                                                 |  | WTP group name. | 
                                            
                                                |  | vlan_pooling 
                    string
                                                                 | Choices:
                                                                                                                                                            wtp-groupround-robinhashdisable | Enable/disable VLAN pooling, to allow grouping of multiple wireless controller VLANs into VLAN pools . When set to wtp-group, VLAN pooling occurs with VLAN assignment by wtp-group. | 
                            
                                                |  | vlanid 
                    integer
                                                                 |  | Optional VLAN ID. | 
                            
                                                |  | voice_enterprise 
                    string
                                                                 |  | Enable/disable 802.11k and 802.11v assisted Voice-Enterprise roaming . |