The first step of enrollment is registration using the API. This transaction is encrypted using HTTPS and authenticated using the Enrollment Token. Once registered, Nodes start a provisional Lighthouse VPN tunnel and become known as Pending Nodes. In this untrusted state, network communications between Lighthouse and the Node are restricted and configuration is not synchronized.
The second step of enrollment is approval, which synchronizes configuration and enables bidirectional communications between Lighthouse and the Node. After approval, the Node becomes semi-trusted and Lighthouse may, for example, provision the Node with sensitive configuration, or feed back telemetry. This and all future transactions are secured by Lighthouse VPN.
Note: The Lighthouse security model is asymmetrical and operates on the principle of least privilege, so while Lighthouse has effective root control over all Nodes, Nodes have no control over Lighthouse or other Nodes.
When creating an Enrollment Bundle (Configure Nodes -> Node Enrollment -> Enrollment Bundles -> +), you may check Auto-approve node to automate these steps. Otherwise Nodes must be manually approved (Configure Nodes -> Node Enrollment -> Pending Nodes -> Approve Node).
- Only check Auto-approve node when enrolling in a trusted environment, for example ZTP over a local management LAN, and where you are confident the Enrollment Token will not be disclosed
- Otherwise when enrolling in an untrusted environment, for example a contractor deploying on your behalf using a USB key, leave Auto-approve node in its default, unchecked state
Enrollment Bundles should be deleted (Configure Nodes -> Node Enrollment -> Enrollment Bundles -> Delete Bundle) once no longer in use, to revoke further registrations using this Bundle.