@pulumiverse/fortios
Version:
A Pulumi package for creating and managing Fortios resources. Based on terraform-provider-fortios: version v1.16.0
840 lines (839 loc) • 39.5 kB
TypeScript
import * as pulumi from "@pulumi/pulumi";
import * as inputs from "../types/input";
import * as outputs from "../types/output";
/**
* Configure RADIUS server entries.
*
* ## Example Usage
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as fortios from "@pulumiverse/fortios";
*
* const trname = new fortios.user.Radius("trname", {
* acctAllServers: "disable",
* allUsergroup: "disable",
* authType: "auto",
* h3cCompatibility: "disable",
* nasIp: "0.0.0.0",
* passwordEncoding: "auto",
* passwordRenewal: "disable",
* radiusCoa: "disable",
* radiusPort: 0,
* rsso: "disable",
* rssoContextTimeout: 28800,
* rssoEndpointAttribute: "Calling-Station-Id",
* rssoEpOneIpOnly: "disable",
* rssoFlushIpSession: "disable",
* rssoLogFlags: "protocol-error profile-missing accounting-stop-missed accounting-event endpoint-block radiusd-other",
* rssoLogPeriod: 0,
* rssoRadiusResponse: "disable",
* rssoRadiusServerPort: 1813,
* rssoValidateRequestSecret: "disable",
* secret: "FDaaewjkeiw32",
* server: "1.1.1.1",
* ssoAttribute: "Class",
* ssoAttributeValueOverride: "enable",
* timeout: 5,
* useManagementVdom: "disable",
* usernameCaseSensitive: "disable",
* });
* ```
*
* ## Import
*
* User Radius can be imported using any of these accepted formats:
*
* ```sh
* $ pulumi import fortios:user/radius:Radius labelname {{name}}
* ```
*
* If you do not want to import arguments of block:
*
* $ export "FORTIOS_IMPORT_TABLE"="false"
*
* ```sh
* $ pulumi import fortios:user/radius:Radius labelname {{name}}
* ```
*
* $ unset "FORTIOS_IMPORT_TABLE"
*/
export declare class Radius extends pulumi.CustomResource {
/**
* Get an existing Radius resource's state with the given name, ID, and optional extra
* properties used to qualify the lookup.
*
* @param name The _unique_ name of the resulting resource.
* @param id The _unique_ provider ID of the resource to lookup.
* @param state Any extra arguments used during the lookup.
* @param opts Optional settings to control the behavior of the CustomResource.
*/
static get(name: string, id: pulumi.Input<pulumi.ID>, state?: RadiusState, opts?: pulumi.CustomResourceOptions): Radius;
/**
* Returns true if the given object is an instance of Radius. This is designed to work even
* when multiple copies of the Pulumi SDK have been loaded into the same process.
*/
static isInstance(obj: any): obj is Radius;
/**
* Define subject identity field in certificate for user access right checking.
*/
readonly accountKeyCertField: pulumi.Output<string>;
/**
* Account key processing operation. The FortiGate will keep either the whole domain or strip the domain from the subject identity. Valid values: `same`, `strip`.
*/
readonly accountKeyProcessing: pulumi.Output<string>;
/**
* Additional accounting servers. The structure of `accountingServer` block is documented below.
*/
readonly accountingServers: pulumi.Output<outputs.user.RadiusAccountingServer[] | undefined>;
/**
* Enable/disable sending of accounting messages to all configured servers (default = disable). Valid values: `enable`, `disable`.
*/
readonly acctAllServers: pulumi.Output<string>;
/**
* Time in seconds between each accounting interim update message.
*/
readonly acctInterimInterval: pulumi.Output<number>;
/**
* Enable/disable automatically including this RADIUS server in all user groups. Valid values: `disable`, `enable`.
*/
readonly allUsergroup: pulumi.Output<string>;
/**
* Authentication methods/protocols permitted for this RADIUS server. Valid values: `auto`, `msChapV2`, `msChap`, `chap`, `pap`.
*/
readonly authType: pulumi.Output<string>;
/**
* CA of server to trust under TLS.
*/
readonly caCert: pulumi.Output<string>;
/**
* Calling & Called station identifier type configuration (default = legacy), this option is not available for 802.1x authentication. Valid values: `legacy`, `IP`, `MAC`.
*/
readonly callStationIdType: pulumi.Output<string>;
/**
* Class attribute name(s). The structure of `class` block is documented below.
*/
readonly classes: pulumi.Output<outputs.user.RadiusClass[] | undefined>;
/**
* Client certificate to use under TLS.
*/
readonly clientCert: pulumi.Output<string>;
/**
* Configure delimiter to be used for separating profile group names in the SSO attribute (default = plus character "+"). Valid values: `plus`, `comma`.
*/
readonly delimiter: pulumi.Output<string>;
/**
* Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
*/
readonly dynamicSortSubtable: pulumi.Output<string | undefined>;
/**
* Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
*/
readonly getAllTables: pulumi.Output<string | undefined>;
/**
* RADIUS attribute type to override user group information. Valid values: `filter-Id`, `class`.
*/
readonly groupOverrideAttrType: pulumi.Output<string>;
/**
* Enable/disable compatibility with the H3C, a mechanism that performs security checking for authentication. Valid values: `enable`, `disable`.
*/
readonly h3cCompatibility: pulumi.Output<string>;
/**
* Specify outgoing interface to reach server.
*/
readonly interface: pulumi.Output<string>;
/**
* Specify how to select outgoing interface to reach server. Valid values: `auto`, `sdwan`, `specify`.
*/
readonly interfaceSelectMethod: pulumi.Output<string>;
/**
* MAC authentication case (default = lowercase). Valid values: `uppercase`, `lowercase`.
*/
readonly macCase: pulumi.Output<string>;
/**
* MAC authentication password delimiter (default = hyphen). Valid values: `hyphen`, `single-hyphen`, `colon`, `none`.
*/
readonly macPasswordDelimiter: pulumi.Output<string>;
/**
* MAC authentication username delimiter (default = hyphen). Valid values: `hyphen`, `single-hyphen`, `colon`, `none`.
*/
readonly macUsernameDelimiter: pulumi.Output<string>;
/**
* RADIUS server entry name.
*/
readonly name: pulumi.Output<string>;
/**
* Custom NAS identifier.
*/
readonly nasId: pulumi.Output<string>;
/**
* NAS identifier type configuration (default = legacy). Valid values: `legacy`, `custom`, `hostname`.
*/
readonly nasIdType: pulumi.Output<string>;
/**
* IP address used to communicate with the RADIUS server and used as NAS-IP-Address and Called-Station-ID attributes.
*/
readonly nasIp: pulumi.Output<string>;
/**
* Password encoding. Valid values: `auto`, `ISO-8859-1`.
*/
readonly passwordEncoding: pulumi.Output<string>;
/**
* Enable/disable password renewal. Valid values: `enable`, `disable`.
*/
readonly passwordRenewal: pulumi.Output<string>;
/**
* Enable to allow a mechanism to change the attributes of an authentication, authorization, and accounting session after it is authenticated. Valid values: `enable`, `disable`.
*/
readonly radiusCoa: pulumi.Output<string>;
/**
* RADIUS service port number.
*/
readonly radiusPort: pulumi.Output<number>;
/**
* Enable/disable RADIUS based single sign on feature. Valid values: `enable`, `disable`.
*/
readonly rsso: pulumi.Output<string>;
/**
* Time in seconds before the logged out user is removed from the "user context list" of logged on users.
*/
readonly rssoContextTimeout: pulumi.Output<number>;
/**
* RADIUS attributes used to extract the user end point identifer from the RADIUS Start record. Valid values: `User-Name`, `NAS-IP-Address`, `Framed-IP-Address`, `Framed-IP-Netmask`, `Filter-Id`, `Login-IP-Host`, `Reply-Message`, `Callback-Number`, `Callback-Id`, `Framed-Route`, `Framed-IPX-Network`, `Class`, `Called-Station-Id`, `Calling-Station-Id`, `NAS-Identifier`, `Proxy-State`, `Login-LAT-Service`, `Login-LAT-Node`, `Login-LAT-Group`, `Framed-AppleTalk-Zone`, `Acct-Session-Id`, `Acct-Multi-Session-Id`.
*/
readonly rssoEndpointAttribute: pulumi.Output<string>;
/**
* RADIUS attributes used to block a user. Valid values: `User-Name`, `NAS-IP-Address`, `Framed-IP-Address`, `Framed-IP-Netmask`, `Filter-Id`, `Login-IP-Host`, `Reply-Message`, `Callback-Number`, `Callback-Id`, `Framed-Route`, `Framed-IPX-Network`, `Class`, `Called-Station-Id`, `Calling-Station-Id`, `NAS-Identifier`, `Proxy-State`, `Login-LAT-Service`, `Login-LAT-Node`, `Login-LAT-Group`, `Framed-AppleTalk-Zone`, `Acct-Session-Id`, `Acct-Multi-Session-Id`.
*/
readonly rssoEndpointBlockAttribute: pulumi.Output<string>;
/**
* Enable/disable the replacement of old IP addresses with new ones for the same endpoint on RADIUS accounting Start messages. Valid values: `enable`, `disable`.
*/
readonly rssoEpOneIpOnly: pulumi.Output<string>;
/**
* Enable/disable flushing user IP sessions on RADIUS accounting Stop messages. Valid values: `enable`, `disable`.
*/
readonly rssoFlushIpSession: pulumi.Output<string>;
/**
* Events to log. Valid values: `protocol-error`, `profile-missing`, `accounting-stop-missed`, `accounting-event`, `endpoint-block`, `radiusd-other`, `none`.
*/
readonly rssoLogFlags: pulumi.Output<string>;
/**
* Time interval in seconds that group event log messages will be generated for dynamic profile events.
*/
readonly rssoLogPeriod: pulumi.Output<number>;
/**
* Enable/disable sending RADIUS response packets after receiving Start and Stop records. Valid values: `enable`, `disable`.
*/
readonly rssoRadiusResponse: pulumi.Output<string>;
/**
* UDP port to listen on for RADIUS Start and Stop records.
*/
readonly rssoRadiusServerPort: pulumi.Output<number>;
/**
* RADIUS secret used by the RADIUS accounting server.
*/
readonly rssoSecret: pulumi.Output<string | undefined>;
/**
* Enable/disable validating the RADIUS request shared secret in the Start or End record. Valid values: `enable`, `disable`.
*/
readonly rssoValidateRequestSecret: pulumi.Output<string>;
/**
* Secret key to access the secondary server.
*/
readonly secondarySecret: pulumi.Output<string | undefined>;
/**
* {<name_str|ip_str>} secondary RADIUS CN domain name or IP.
*/
readonly secondaryServer: pulumi.Output<string>;
/**
* Pre-shared secret key used to access the primary RADIUS server.
*/
readonly secret: pulumi.Output<string | undefined>;
/**
* Primary RADIUS server CN domain name or IP address.
*/
readonly server: pulumi.Output<string>;
/**
* Enable/disable RADIUS server identity check (verify server domain name/IP address against the server certificate). Valid values: `enable`, `disable`.
*/
readonly serverIdentityCheck: pulumi.Output<string>;
/**
* Source IP address for communications to the RADIUS server.
*/
readonly sourceIp: pulumi.Output<string>;
/**
* RADIUS attribute that contains the profile group name to be extracted from the RADIUS Start record. Valid values: `User-Name`, `NAS-IP-Address`, `Framed-IP-Address`, `Framed-IP-Netmask`, `Filter-Id`, `Login-IP-Host`, `Reply-Message`, `Callback-Number`, `Callback-Id`, `Framed-Route`, `Framed-IPX-Network`, `Class`, `Called-Station-Id`, `Calling-Station-Id`, `NAS-Identifier`, `Proxy-State`, `Login-LAT-Service`, `Login-LAT-Node`, `Login-LAT-Group`, `Framed-AppleTalk-Zone`, `Acct-Session-Id`, `Acct-Multi-Session-Id`.
*/
readonly ssoAttribute: pulumi.Output<string>;
/**
* Key prefix for SSO group value in the SSO attribute.
*/
readonly ssoAttributeKey: pulumi.Output<string>;
/**
* Enable/disable override old attribute value with new value for the same endpoint. Valid values: `enable`, `disable`.
*/
readonly ssoAttributeValueOverride: pulumi.Output<string>;
/**
* Time for which server reachability is cached so that when a server is unreachable, it will not be retried for at least this period of time (0 = cache disabled, default = 300).
*/
readonly statusTtl: pulumi.Output<number>;
/**
* Switch controller accounting message Framed-IP detection from DHCP snooping (seconds, default=2).
*/
readonly switchControllerAcctFastFramedipDetect: pulumi.Output<number>;
/**
* Enable/Disable switch-controller nas-ip dynamic to dynamically set nas-ip. Valid values: `enable`, `disable`.
*/
readonly switchControllerNasIpDynamic: pulumi.Output<string>;
/**
* RADIUS service type. Valid values: `login`, `framed`, `callback-login`, `callback-framed`, `outbound`, `administrative`, `nas-prompt`, `authenticate-only`, `callback-nas-prompt`, `call-check`, `callback-administrative`.
*/
readonly switchControllerServiceType: pulumi.Output<string>;
/**
* Secret key to access the tertiary server.
*/
readonly tertiarySecret: pulumi.Output<string | undefined>;
/**
* {<name_str|ip_str>} tertiary RADIUS CN domain name or IP.
*/
readonly tertiaryServer: pulumi.Output<string>;
/**
* Time in seconds between re-sending authentication requests.
*/
readonly timeout: pulumi.Output<number>;
/**
* Minimum supported protocol version for TLS connections (default is to follow system global setting).
*/
readonly tlsMinProtoVersion: pulumi.Output<string>;
/**
* Transport protocol to be used (default = udp). Valid values: `udp`, `tcp`, `tls`.
*/
readonly transportProtocol: pulumi.Output<string>;
/**
* Enable/disable using management VDOM to send requests. Valid values: `enable`, `disable`.
*/
readonly useManagementVdom: pulumi.Output<string>;
/**
* Enable/disable case sensitive user names. Valid values: `enable`, `disable`.
*/
readonly usernameCaseSensitive: pulumi.Output<string>;
/**
* Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
*/
readonly vdomparam: pulumi.Output<string>;
/**
* Create a Radius resource with the given unique name, arguments, and options.
*
* @param name The _unique_ name of the resource.
* @param args The arguments to use to populate this resource's properties.
* @param opts A bag of options that control this resource's behavior.
*/
constructor(name: string, args?: RadiusArgs, opts?: pulumi.CustomResourceOptions);
}
/**
* Input properties used for looking up and filtering Radius resources.
*/
export interface RadiusState {
/**
* Define subject identity field in certificate for user access right checking.
*/
accountKeyCertField?: pulumi.Input<string>;
/**
* Account key processing operation. The FortiGate will keep either the whole domain or strip the domain from the subject identity. Valid values: `same`, `strip`.
*/
accountKeyProcessing?: pulumi.Input<string>;
/**
* Additional accounting servers. The structure of `accountingServer` block is documented below.
*/
accountingServers?: pulumi.Input<pulumi.Input<inputs.user.RadiusAccountingServer>[]>;
/**
* Enable/disable sending of accounting messages to all configured servers (default = disable). Valid values: `enable`, `disable`.
*/
acctAllServers?: pulumi.Input<string>;
/**
* Time in seconds between each accounting interim update message.
*/
acctInterimInterval?: pulumi.Input<number>;
/**
* Enable/disable automatically including this RADIUS server in all user groups. Valid values: `disable`, `enable`.
*/
allUsergroup?: pulumi.Input<string>;
/**
* Authentication methods/protocols permitted for this RADIUS server. Valid values: `auto`, `msChapV2`, `msChap`, `chap`, `pap`.
*/
authType?: pulumi.Input<string>;
/**
* CA of server to trust under TLS.
*/
caCert?: pulumi.Input<string>;
/**
* Calling & Called station identifier type configuration (default = legacy), this option is not available for 802.1x authentication. Valid values: `legacy`, `IP`, `MAC`.
*/
callStationIdType?: pulumi.Input<string>;
/**
* Class attribute name(s). The structure of `class` block is documented below.
*/
classes?: pulumi.Input<pulumi.Input<inputs.user.RadiusClass>[]>;
/**
* Client certificate to use under TLS.
*/
clientCert?: pulumi.Input<string>;
/**
* Configure delimiter to be used for separating profile group names in the SSO attribute (default = plus character "+"). Valid values: `plus`, `comma`.
*/
delimiter?: pulumi.Input<string>;
/**
* Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
*/
dynamicSortSubtable?: pulumi.Input<string>;
/**
* Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
*/
getAllTables?: pulumi.Input<string>;
/**
* RADIUS attribute type to override user group information. Valid values: `filter-Id`, `class`.
*/
groupOverrideAttrType?: pulumi.Input<string>;
/**
* Enable/disable compatibility with the H3C, a mechanism that performs security checking for authentication. Valid values: `enable`, `disable`.
*/
h3cCompatibility?: pulumi.Input<string>;
/**
* Specify outgoing interface to reach server.
*/
interface?: pulumi.Input<string>;
/**
* Specify how to select outgoing interface to reach server. Valid values: `auto`, `sdwan`, `specify`.
*/
interfaceSelectMethod?: pulumi.Input<string>;
/**
* MAC authentication case (default = lowercase). Valid values: `uppercase`, `lowercase`.
*/
macCase?: pulumi.Input<string>;
/**
* MAC authentication password delimiter (default = hyphen). Valid values: `hyphen`, `single-hyphen`, `colon`, `none`.
*/
macPasswordDelimiter?: pulumi.Input<string>;
/**
* MAC authentication username delimiter (default = hyphen). Valid values: `hyphen`, `single-hyphen`, `colon`, `none`.
*/
macUsernameDelimiter?: pulumi.Input<string>;
/**
* RADIUS server entry name.
*/
name?: pulumi.Input<string>;
/**
* Custom NAS identifier.
*/
nasId?: pulumi.Input<string>;
/**
* NAS identifier type configuration (default = legacy). Valid values: `legacy`, `custom`, `hostname`.
*/
nasIdType?: pulumi.Input<string>;
/**
* IP address used to communicate with the RADIUS server and used as NAS-IP-Address and Called-Station-ID attributes.
*/
nasIp?: pulumi.Input<string>;
/**
* Password encoding. Valid values: `auto`, `ISO-8859-1`.
*/
passwordEncoding?: pulumi.Input<string>;
/**
* Enable/disable password renewal. Valid values: `enable`, `disable`.
*/
passwordRenewal?: pulumi.Input<string>;
/**
* Enable to allow a mechanism to change the attributes of an authentication, authorization, and accounting session after it is authenticated. Valid values: `enable`, `disable`.
*/
radiusCoa?: pulumi.Input<string>;
/**
* RADIUS service port number.
*/
radiusPort?: pulumi.Input<number>;
/**
* Enable/disable RADIUS based single sign on feature. Valid values: `enable`, `disable`.
*/
rsso?: pulumi.Input<string>;
/**
* Time in seconds before the logged out user is removed from the "user context list" of logged on users.
*/
rssoContextTimeout?: pulumi.Input<number>;
/**
* RADIUS attributes used to extract the user end point identifer from the RADIUS Start record. Valid values: `User-Name`, `NAS-IP-Address`, `Framed-IP-Address`, `Framed-IP-Netmask`, `Filter-Id`, `Login-IP-Host`, `Reply-Message`, `Callback-Number`, `Callback-Id`, `Framed-Route`, `Framed-IPX-Network`, `Class`, `Called-Station-Id`, `Calling-Station-Id`, `NAS-Identifier`, `Proxy-State`, `Login-LAT-Service`, `Login-LAT-Node`, `Login-LAT-Group`, `Framed-AppleTalk-Zone`, `Acct-Session-Id`, `Acct-Multi-Session-Id`.
*/
rssoEndpointAttribute?: pulumi.Input<string>;
/**
* RADIUS attributes used to block a user. Valid values: `User-Name`, `NAS-IP-Address`, `Framed-IP-Address`, `Framed-IP-Netmask`, `Filter-Id`, `Login-IP-Host`, `Reply-Message`, `Callback-Number`, `Callback-Id`, `Framed-Route`, `Framed-IPX-Network`, `Class`, `Called-Station-Id`, `Calling-Station-Id`, `NAS-Identifier`, `Proxy-State`, `Login-LAT-Service`, `Login-LAT-Node`, `Login-LAT-Group`, `Framed-AppleTalk-Zone`, `Acct-Session-Id`, `Acct-Multi-Session-Id`.
*/
rssoEndpointBlockAttribute?: pulumi.Input<string>;
/**
* Enable/disable the replacement of old IP addresses with new ones for the same endpoint on RADIUS accounting Start messages. Valid values: `enable`, `disable`.
*/
rssoEpOneIpOnly?: pulumi.Input<string>;
/**
* Enable/disable flushing user IP sessions on RADIUS accounting Stop messages. Valid values: `enable`, `disable`.
*/
rssoFlushIpSession?: pulumi.Input<string>;
/**
* Events to log. Valid values: `protocol-error`, `profile-missing`, `accounting-stop-missed`, `accounting-event`, `endpoint-block`, `radiusd-other`, `none`.
*/
rssoLogFlags?: pulumi.Input<string>;
/**
* Time interval in seconds that group event log messages will be generated for dynamic profile events.
*/
rssoLogPeriod?: pulumi.Input<number>;
/**
* Enable/disable sending RADIUS response packets after receiving Start and Stop records. Valid values: `enable`, `disable`.
*/
rssoRadiusResponse?: pulumi.Input<string>;
/**
* UDP port to listen on for RADIUS Start and Stop records.
*/
rssoRadiusServerPort?: pulumi.Input<number>;
/**
* RADIUS secret used by the RADIUS accounting server.
*/
rssoSecret?: pulumi.Input<string>;
/**
* Enable/disable validating the RADIUS request shared secret in the Start or End record. Valid values: `enable`, `disable`.
*/
rssoValidateRequestSecret?: pulumi.Input<string>;
/**
* Secret key to access the secondary server.
*/
secondarySecret?: pulumi.Input<string>;
/**
* {<name_str|ip_str>} secondary RADIUS CN domain name or IP.
*/
secondaryServer?: pulumi.Input<string>;
/**
* Pre-shared secret key used to access the primary RADIUS server.
*/
secret?: pulumi.Input<string>;
/**
* Primary RADIUS server CN domain name or IP address.
*/
server?: pulumi.Input<string>;
/**
* Enable/disable RADIUS server identity check (verify server domain name/IP address against the server certificate). Valid values: `enable`, `disable`.
*/
serverIdentityCheck?: pulumi.Input<string>;
/**
* Source IP address for communications to the RADIUS server.
*/
sourceIp?: pulumi.Input<string>;
/**
* RADIUS attribute that contains the profile group name to be extracted from the RADIUS Start record. Valid values: `User-Name`, `NAS-IP-Address`, `Framed-IP-Address`, `Framed-IP-Netmask`, `Filter-Id`, `Login-IP-Host`, `Reply-Message`, `Callback-Number`, `Callback-Id`, `Framed-Route`, `Framed-IPX-Network`, `Class`, `Called-Station-Id`, `Calling-Station-Id`, `NAS-Identifier`, `Proxy-State`, `Login-LAT-Service`, `Login-LAT-Node`, `Login-LAT-Group`, `Framed-AppleTalk-Zone`, `Acct-Session-Id`, `Acct-Multi-Session-Id`.
*/
ssoAttribute?: pulumi.Input<string>;
/**
* Key prefix for SSO group value in the SSO attribute.
*/
ssoAttributeKey?: pulumi.Input<string>;
/**
* Enable/disable override old attribute value with new value for the same endpoint. Valid values: `enable`, `disable`.
*/
ssoAttributeValueOverride?: pulumi.Input<string>;
/**
* Time for which server reachability is cached so that when a server is unreachable, it will not be retried for at least this period of time (0 = cache disabled, default = 300).
*/
statusTtl?: pulumi.Input<number>;
/**
* Switch controller accounting message Framed-IP detection from DHCP snooping (seconds, default=2).
*/
switchControllerAcctFastFramedipDetect?: pulumi.Input<number>;
/**
* Enable/Disable switch-controller nas-ip dynamic to dynamically set nas-ip. Valid values: `enable`, `disable`.
*/
switchControllerNasIpDynamic?: pulumi.Input<string>;
/**
* RADIUS service type. Valid values: `login`, `framed`, `callback-login`, `callback-framed`, `outbound`, `administrative`, `nas-prompt`, `authenticate-only`, `callback-nas-prompt`, `call-check`, `callback-administrative`.
*/
switchControllerServiceType?: pulumi.Input<string>;
/**
* Secret key to access the tertiary server.
*/
tertiarySecret?: pulumi.Input<string>;
/**
* {<name_str|ip_str>} tertiary RADIUS CN domain name or IP.
*/
tertiaryServer?: pulumi.Input<string>;
/**
* Time in seconds between re-sending authentication requests.
*/
timeout?: pulumi.Input<number>;
/**
* Minimum supported protocol version for TLS connections (default is to follow system global setting).
*/
tlsMinProtoVersion?: pulumi.Input<string>;
/**
* Transport protocol to be used (default = udp). Valid values: `udp`, `tcp`, `tls`.
*/
transportProtocol?: pulumi.Input<string>;
/**
* Enable/disable using management VDOM to send requests. Valid values: `enable`, `disable`.
*/
useManagementVdom?: pulumi.Input<string>;
/**
* Enable/disable case sensitive user names. Valid values: `enable`, `disable`.
*/
usernameCaseSensitive?: pulumi.Input<string>;
/**
* Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
*/
vdomparam?: pulumi.Input<string>;
}
/**
* The set of arguments for constructing a Radius resource.
*/
export interface RadiusArgs {
/**
* Define subject identity field in certificate for user access right checking.
*/
accountKeyCertField?: pulumi.Input<string>;
/**
* Account key processing operation. The FortiGate will keep either the whole domain or strip the domain from the subject identity. Valid values: `same`, `strip`.
*/
accountKeyProcessing?: pulumi.Input<string>;
/**
* Additional accounting servers. The structure of `accountingServer` block is documented below.
*/
accountingServers?: pulumi.Input<pulumi.Input<inputs.user.RadiusAccountingServer>[]>;
/**
* Enable/disable sending of accounting messages to all configured servers (default = disable). Valid values: `enable`, `disable`.
*/
acctAllServers?: pulumi.Input<string>;
/**
* Time in seconds between each accounting interim update message.
*/
acctInterimInterval?: pulumi.Input<number>;
/**
* Enable/disable automatically including this RADIUS server in all user groups. Valid values: `disable`, `enable`.
*/
allUsergroup?: pulumi.Input<string>;
/**
* Authentication methods/protocols permitted for this RADIUS server. Valid values: `auto`, `msChapV2`, `msChap`, `chap`, `pap`.
*/
authType?: pulumi.Input<string>;
/**
* CA of server to trust under TLS.
*/
caCert?: pulumi.Input<string>;
/**
* Calling & Called station identifier type configuration (default = legacy), this option is not available for 802.1x authentication. Valid values: `legacy`, `IP`, `MAC`.
*/
callStationIdType?: pulumi.Input<string>;
/**
* Class attribute name(s). The structure of `class` block is documented below.
*/
classes?: pulumi.Input<pulumi.Input<inputs.user.RadiusClass>[]>;
/**
* Client certificate to use under TLS.
*/
clientCert?: pulumi.Input<string>;
/**
* Configure delimiter to be used for separating profile group names in the SSO attribute (default = plus character "+"). Valid values: `plus`, `comma`.
*/
delimiter?: pulumi.Input<string>;
/**
* Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
*/
dynamicSortSubtable?: pulumi.Input<string>;
/**
* Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
*/
getAllTables?: pulumi.Input<string>;
/**
* RADIUS attribute type to override user group information. Valid values: `filter-Id`, `class`.
*/
groupOverrideAttrType?: pulumi.Input<string>;
/**
* Enable/disable compatibility with the H3C, a mechanism that performs security checking for authentication. Valid values: `enable`, `disable`.
*/
h3cCompatibility?: pulumi.Input<string>;
/**
* Specify outgoing interface to reach server.
*/
interface?: pulumi.Input<string>;
/**
* Specify how to select outgoing interface to reach server. Valid values: `auto`, `sdwan`, `specify`.
*/
interfaceSelectMethod?: pulumi.Input<string>;
/**
* MAC authentication case (default = lowercase). Valid values: `uppercase`, `lowercase`.
*/
macCase?: pulumi.Input<string>;
/**
* MAC authentication password delimiter (default = hyphen). Valid values: `hyphen`, `single-hyphen`, `colon`, `none`.
*/
macPasswordDelimiter?: pulumi.Input<string>;
/**
* MAC authentication username delimiter (default = hyphen). Valid values: `hyphen`, `single-hyphen`, `colon`, `none`.
*/
macUsernameDelimiter?: pulumi.Input<string>;
/**
* RADIUS server entry name.
*/
name?: pulumi.Input<string>;
/**
* Custom NAS identifier.
*/
nasId?: pulumi.Input<string>;
/**
* NAS identifier type configuration (default = legacy). Valid values: `legacy`, `custom`, `hostname`.
*/
nasIdType?: pulumi.Input<string>;
/**
* IP address used to communicate with the RADIUS server and used as NAS-IP-Address and Called-Station-ID attributes.
*/
nasIp?: pulumi.Input<string>;
/**
* Password encoding. Valid values: `auto`, `ISO-8859-1`.
*/
passwordEncoding?: pulumi.Input<string>;
/**
* Enable/disable password renewal. Valid values: `enable`, `disable`.
*/
passwordRenewal?: pulumi.Input<string>;
/**
* Enable to allow a mechanism to change the attributes of an authentication, authorization, and accounting session after it is authenticated. Valid values: `enable`, `disable`.
*/
radiusCoa?: pulumi.Input<string>;
/**
* RADIUS service port number.
*/
radiusPort?: pulumi.Input<number>;
/**
* Enable/disable RADIUS based single sign on feature. Valid values: `enable`, `disable`.
*/
rsso?: pulumi.Input<string>;
/**
* Time in seconds before the logged out user is removed from the "user context list" of logged on users.
*/
rssoContextTimeout?: pulumi.Input<number>;
/**
* RADIUS attributes used to extract the user end point identifer from the RADIUS Start record. Valid values: `User-Name`, `NAS-IP-Address`, `Framed-IP-Address`, `Framed-IP-Netmask`, `Filter-Id`, `Login-IP-Host`, `Reply-Message`, `Callback-Number`, `Callback-Id`, `Framed-Route`, `Framed-IPX-Network`, `Class`, `Called-Station-Id`, `Calling-Station-Id`, `NAS-Identifier`, `Proxy-State`, `Login-LAT-Service`, `Login-LAT-Node`, `Login-LAT-Group`, `Framed-AppleTalk-Zone`, `Acct-Session-Id`, `Acct-Multi-Session-Id`.
*/
rssoEndpointAttribute?: pulumi.Input<string>;
/**
* RADIUS attributes used to block a user. Valid values: `User-Name`, `NAS-IP-Address`, `Framed-IP-Address`, `Framed-IP-Netmask`, `Filter-Id`, `Login-IP-Host`, `Reply-Message`, `Callback-Number`, `Callback-Id`, `Framed-Route`, `Framed-IPX-Network`, `Class`, `Called-Station-Id`, `Calling-Station-Id`, `NAS-Identifier`, `Proxy-State`, `Login-LAT-Service`, `Login-LAT-Node`, `Login-LAT-Group`, `Framed-AppleTalk-Zone`, `Acct-Session-Id`, `Acct-Multi-Session-Id`.
*/
rssoEndpointBlockAttribute?: pulumi.Input<string>;
/**
* Enable/disable the replacement of old IP addresses with new ones for the same endpoint on RADIUS accounting Start messages. Valid values: `enable`, `disable`.
*/
rssoEpOneIpOnly?: pulumi.Input<string>;
/**
* Enable/disable flushing user IP sessions on RADIUS accounting Stop messages. Valid values: `enable`, `disable`.
*/
rssoFlushIpSession?: pulumi.Input<string>;
/**
* Events to log. Valid values: `protocol-error`, `profile-missing`, `accounting-stop-missed`, `accounting-event`, `endpoint-block`, `radiusd-other`, `none`.
*/
rssoLogFlags?: pulumi.Input<string>;
/**
* Time interval in seconds that group event log messages will be generated for dynamic profile events.
*/
rssoLogPeriod?: pulumi.Input<number>;
/**
* Enable/disable sending RADIUS response packets after receiving Start and Stop records. Valid values: `enable`, `disable`.
*/
rssoRadiusResponse?: pulumi.Input<string>;
/**
* UDP port to listen on for RADIUS Start and Stop records.
*/
rssoRadiusServerPort?: pulumi.Input<number>;
/**
* RADIUS secret used by the RADIUS accounting server.
*/
rssoSecret?: pulumi.Input<string>;
/**
* Enable/disable validating the RADIUS request shared secret in the Start or End record. Valid values: `enable`, `disable`.
*/
rssoValidateRequestSecret?: pulumi.Input<string>;
/**
* Secret key to access the secondary server.
*/
secondarySecret?: pulumi.Input<string>;
/**
* {<name_str|ip_str>} secondary RADIUS CN domain name or IP.
*/
secondaryServer?: pulumi.Input<string>;
/**
* Pre-shared secret key used to access the primary RADIUS server.
*/
secret?: pulumi.Input<string>;
/**
* Primary RADIUS server CN domain name or IP address.
*/
server?: pulumi.Input<string>;
/**
* Enable/disable RADIUS server identity check (verify server domain name/IP address against the server certificate). Valid values: `enable`, `disable`.
*/
serverIdentityCheck?: pulumi.Input<string>;
/**
* Source IP address for communications to the RADIUS server.
*/
sourceIp?: pulumi.Input<string>;
/**
* RADIUS attribute that contains the profile group name to be extracted from the RADIUS Start record. Valid values: `User-Name`, `NAS-IP-Address`, `Framed-IP-Address`, `Framed-IP-Netmask`, `Filter-Id`, `Login-IP-Host`, `Reply-Message`, `Callback-Number`, `Callback-Id`, `Framed-Route`, `Framed-IPX-Network`, `Class`, `Called-Station-Id`, `Calling-Station-Id`, `NAS-Identifier`, `Proxy-State`, `Login-LAT-Service`, `Login-LAT-Node`, `Login-LAT-Group`, `Framed-AppleTalk-Zone`, `Acct-Session-Id`, `Acct-Multi-Session-Id`.
*/
ssoAttribute?: pulumi.Input<string>;
/**
* Key prefix for SSO group value in the SSO attribute.
*/
ssoAttributeKey?: pulumi.Input<string>;
/**
* Enable/disable override old attribute value with new value for the same endpoint. Valid values: `enable`, `disable`.
*/
ssoAttributeValueOverride?: pulumi.Input<string>;
/**
* Time for which server reachability is cached so that when a server is unreachable, it will not be retried for at least this period of time (0 = cache disabled, default = 300).
*/
statusTtl?: pulumi.Input<number>;
/**
* Switch controller accounting message Framed-IP detection from DHCP snooping (seconds, default=2).
*/
switchControllerAcctFastFramedipDetect?: pulumi.Input<number>;
/**
* Enable/Disable switch-controller nas-ip dynamic to dynamically set nas-ip. Valid values: `enable`, `disable`.
*/
switchControllerNasIpDynamic?: pulumi.Input<string>;
/**
* RADIUS service type. Valid values: `login`, `framed`, `callback-login`, `callback-framed`, `outbound`, `administrative`, `nas-prompt`, `authenticate-only`, `callback-nas-prompt`, `call-check`, `callback-administrative`.
*/
switchControllerServiceType?: pulumi.Input<string>;
/**
* Secret key to access the tertiary server.
*/
tertiarySecret?: pulumi.Input<string>;
/**
* {<name_str|ip_str>} tertiary RADIUS CN domain name or IP.
*/
tertiaryServer?: pulumi.Input<string>;
/**
* Time in seconds between re-sending authentication requests.
*/
timeout?: pulumi.Input<number>;
/**
* Minimum supported protocol version for TLS connections (default is to follow system global setting).
*/
tlsMinProtoVersion?: pulumi.Input<string>;
/**
* Transport protocol to be used (default = udp). Valid values: `udp`, `tcp`, `tls`.
*/
transportProtocol?: pulumi.Input<string>;
/**
* Enable/disable using management VDOM to send requests. Valid values: `enable`, `disable`.
*/
useManagementVdom?: pulumi.Input<string>;
/**
* Enable/disable case sensitive user names. Valid values: `enable`, `disable`.
*/
usernameCaseSensitive?: pulumi.Input<string>;
/**
* Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
*/
vdomparam?: pulumi.Input<string>;
}