Opengear Lighthouse provides a single point of access for many Opengear console servers via a single, central IP address.
The Console Gateway feature provides central CLI access to consoles of managed devices (such as routers, switches and PDUs), attached to the console server's serial and USB ports.
Configuring Console Gateway
To enable Console Gateway feature for a specific console server, in the Serial Port Proxy section set the total Number of Serial Ports.
This field may be set when first adding the console server (enrollment), or later by clicking Configure -> Managed Console Servers -> Edit. For full details on enrolling console servers in Lighthouse, refer to this article.
Note: When enrolling using the bulk provisioning enrollment-wizard script, Number of Serial Ports is automatically detected and set.
Click Apply, Lighthouse retrieves the console server's configuration, including port labels and user access permissions, and generates the central view.
Note: When console configuration on the managed console server changes, configuration not automatically re-synchronized, this must be done manually using Configure -> Managed Console Servers -> Retrieve Managed Devices from the web UI, or node-sync from the CLI.
Using Console Gateway
Managed console servers' consoles may now be accessed via UI or CLI – for details and examples, refer to this article.
Lighthouse aggregates retrieved managed console server configuration to generate its user and access permissions database, to control visibility of and access to console servers and ports for the currently authenticated user.
Remote Authentication using Remote Groups
When Lighthouse and managed console servers are using a remote AAA (e.g. TACACS, RADIUS) Authentication Method with Use Remote Groups enabled, the following conditions must be met for a user to be granted access to a particular console:
- The user must successfully authenticate against the AAA server
- The AAA server must pass back a list of remote groups for this user
- One of these remote groups must be admin, or
- One of these remote groups must be users, and:
- An additional remote group must exist on the console server under Serial & Network -> Users & Groups -> Groups
- This group must contain the console port in its list of Accessible Ports
All users are retrieved from each managed console servers, and a corresponding account for each Retrieved User is automatically created on Lighthouse.
A Retrieved User account aggregates permissions across all managed console servers – e.g. if the user operator1 exists on 10 console servers, upon successfully authenticating to Lighthouse operator1 will be granted access to these 10 console servers, and the individual console ports that operator1 has been granted on each console server under Serial & Network -> Users & Groups.
Retrieved Users are disabled by default, use these steps to enable a user:
- Login to the Lighthouse browser UI as root
- Click Configure -> User Authorization and Edit the user
- Enter a Password and Confirm
- You may optionally make this user an admin of Lighthouse itself (and therefore have complete control of all managed console servers)
- You may revoke users group access to limit this user to console access using the CLI username convention only
- Click Apply