NCOS: Out of Band Management

Jesse Rothschild

Products Supported: AER31x0, AER21x0, MBR1400v2, MBR1400v1, IBR11x0, IBR6x0B, IBR6x0, CBA850, CBA750B. See Identify Cradlepoint Products  to identify your router.

To use this feature via NCM, you must have a NetCloud Prime (Essentials) or Enterprise (Advanced) Branch account. See NetCloud Manager Tiers for more information.

NCOS Version: 6.1* – for information on upgrading NCOS Versions, see NCOS: How to update the NCOS of a Cradlepoint router.

*Certain NCOS v6.2 features are included in this article.

Quick Links



Connection Methods

SSH Hopping

Out of Band Management Features with v6.2 Firmware


Related Articles


This document is intended to guide administrators through configuring the Serial Redirector feature on Cradlepoint routers for out-of-band management and troubleshooting of devices with an RS232 console interface. Once enabled, this feature is used by establishing an SSH or Telnet client session with the router, which then redirects the SSH or Telnet traffic to the attached console cable



Configuration Difficulty: Intermediate

Hardware Setup

Obtain the cabling/connectors required for the type of connection being made with the serial redirect. Use the following table for reference:

Serial Redirector Connector Reference

Connection TypeSupported ProductsType of ConnectorNotes
  • IBR11x0 series
DB9 Male to Male Serial Adapter
  • COR IBR600/IBR650
  • COR IBR600B/IBR650B
  • CORIBR1100/IBR1150
  • AER1600/AER1650 and AER2100
The USB-to-serial adapter must use an FTDI

chip set. See Cradlepoint Serial Console Support for more information.

1-to-4 USB-to-RS232 serial adapter can be used for multiple out of band devices.
RJ45 serial console
  • CBA850 (head unit) 1, 2
  • AER3100/AER3150 (devices managed by the CBA850)

The CBA850 and AER3100/AER3150 will work with a USB-to-serial cable (with one or more serial connections) if a high-speed USB hub is connected between the router and the USB-to-serial cable.

Not all Cisco RJ45 serial console ports are standard. Their TX/RX pins provide standard transmit/receive functionality, but the control signals (such as RTS/CTS for HW handshaking) vary by product. Performing simple out of band management with Cisco RJ45 serial console ports is usually possible, but using advanced control signals varies. Either avoid these advanced signals, or assemble custom cables to match the Cisco model’s RJ45 serial console port.

1. Make the required hardware connections before beginning the software configuration. (A USB-to-serial connection is shown below as an example.)

a. Connect a USB-to-serial adapter (callout 1) to the USB port of the Cradlepoint router (callout 2).

b. Connect a console cable (callout 3) to the USB-to-serial adapter.

c. Connect the console cable to the console port of the device to manage (callout 4).


Software Setup

Note: No software setup is required for Cradlepoint routers using RJ45 console-port connections.

Use the following steps to enable and configure the Cradlepoint router’s software settings for serial redirection.

1. Log into the router’s NCOS Page. For help with logging in, see NCOS: Accessing the Setup Pages of a Cradlepoint Router.

2. Click on the SYSTEM tab on the left, and then select Serial Redirector.

3. Place a check mark next to Enabled in the Telnet to Serial Configuration area, and then click the Submit button. Wait for the Server Status field to indicate “Ready”.

Note: If there is a problem with the detection of the adapter, the Server Status field will display Starting and never change. This usually means the adapter is not supported by the router.

4. In the USB Serial Adapter Configuration section, set the values to match those used by your device.

Note: Some routers require slightly different settings than Cradlepoint’s default router settings. If the console window does not display text correctly (such as inserting a blank row between each line of text), change the Cradlepoint’s Linefeed setting to a different value and then try again.

5. Click the Submit button again if additional changes were made


Connection Methods

Client software is required to open SSH/Telnet connections to Cradlepoint routers. The SSH/Telnet client software, PuTTY, is used in the following procedures. For more information on installing and using PuTTY, see Download PuTTY.

SSH-to-Serial (Secure Connection)

The recommended, secure method to access your hardware is to first establish an SSH session to the Cradlepoint router. Establishing SSH sessions to Cradlepoint routers can be done in any of the three following ways:

Note: To connect to the Cradlepoint router using client software, the router must have a publicly routable WAN IP address. See NCOS: How to determine if you have a publicly routable IP address for more information.

1. Open your SSH client software (PuTTY, in this example) and type in the public IP address and port for the Cradlepoint router in the Host Name (or IP Address) and Port fields.

2.  Select SSH for the Connection type.

3. Click the Open button to establish an SSH connection to the Cradlepoint router.

Once you have established an SSH connection to the router’s command-line interface (CLI), use the serial command to create a console session from the Cradlepoint router to the serially-connected device.

If you are using a 1-to-4 USB-to-Serial adapter, use the following command format to initiate a serial connection to a specific client device:
serial #

For example, to connect serially to a device connected to the third port of USB-to-Serial adapter:

serial 3

After the session is established, you have access to the console of your device.

Use the following commands to end the session:

  • CTRL + W to break the connection to the device, but keep the SSH session up
  • CTRL + Q to break the connection to the device and end the SSH session

Console Cable Connection (CBA850 only)

The CBA850 router has a console port for Out of Band Management (OOBM) of third-party devices. Console access from a CBA850 to the CLI of a third-party router/firewall requires the following:

  • An SSH Client installed on your computer (e.g PuTTY)
  • A Public Static/Dynamic IP address with your ISP
  • A router/firewall with a console port

NOTE: The CBA850 console port requires the use of a rollover cable or adapter.

1. Open your SSH Client (PuTTY, in this example) and type the public IP address for the CBA850 in the Host Name (or IP Address) field.

2. Select SSH for the Connection type.

3. Click the Open button to establish an SSH connection to the CBA850.

4. Type the command


at the CBA850’s command line prompt to start a session from the CBA850 to the device connected to the console port of the CBA850.

Note: Out of Band Management with the console port allows only one connection at a time.

Telnet-to-Serial (Direct Connection)

Important: Cradlepoint recommends using the SSH-to-Serial connection method whenever possible because it is encrypted and requires a username and password. Cradlepoint does NOT recommend using Telnet-to-serial access unless the device is on a private network and is not accessible from the Internet.

1. Open your SSH client software (PuTTY, in this example) and type in the public IP address for the Cradlepoint router in the Host Name (or IP Address) field.

Note: The WAN connection will not work unless WAN is enabled within the router’s system settings (SYSTEM Serial Redirector Telnet to Serial Configuration area).

2. Type the Telnet port number in the Port field. This port number is listed on the router’s SYSTEM Serial Redirector > Telnet to Serial Configuration area in the Server Port field.

3. Select Telnet for the Connection type.

4. Click the Open button to establish the Telnet session and interact directly with your hardware connected to the Cradlepoint router.

SSH Hopping

Users are able to SSH into any device on either the WAN or LAN that is running an SSH Server.

Configurable Options: – Port – Login name – Data compression – Session ciphers

Supported ciphers: –

  • aes256-ctr
  • aes192-ctr
  • aes128-ctr
  • aes256-cbc
  • aes192-cbc
  • aes128-cbc
  • 3des-cbc
  • blowfish-cbc

Client uses the below ciphers by default for PCI-Compliance:

  • aes256-ctr
  • aes192-ctr
  • aes128-ctr

Required arguments: hostname Either the hostname or a [email protected] pair

Optional arguments:

  • -v Debug level. May be specified up to 3 times (-v, -vv, -vvv).
  • -C Requests compression of all data.
  • -1 Force ssh to try protocol version 1 only.
  • -2 Force ssh to try protocol version 2 only.
  • -l Specifies login name.
  • -p Specifies port.
  • -c Comma separated list of ciphers (e.g. aes256-ctr,aes192-ctr,aes128-ctr,).

NOTE: When asked if you trust the host key; make sure to type “yes” and not “y.”

NOTE: Only one session can be active at a time. If a new session is opened (if the device is accessed by a different method, or by a second user) before the original one is stopped, you may receive garbled feedback.

Out of Band Management Features with v6.2 Firmware

Starting with NCOS v6.2, NetCloud Manager provides improved Out of Band Management features, including the following:

  • OOBM access for Diagnostic-role users
  • The Remote Connect menu, with all remote connection features located in one place.
  • The ability to create OOBM connection profiles for one-click connection and access to devices.
  • The Cradlepoint CLI is not required for access.
  • Increased console-buffer size to hold and view more information.

This section provides the steps necessary to create and use OOBM connection profiles.

Create an OOBM Connection Profile

1. Click the Remote Connect menu.

2. Click Add/Edit for Out of Band Manager.

3. From the Remote Connect screen, click the Add button in the Out of Band Manager area.

4.  On the Add Serial Profile dialog do the following:

a. Type a name for the connection profile in the Name field.

b. Select the serial port that the connection will use, from the Serial drop-down box.

c. Click the Save button to save the OOBM connection profile.

Use an OOBM Connection Profile

OOBM Connection Profiles can be accessed and used with either of the following methods:

From the Remote Connect menu:

Select the profile from the Out of Band Manager area in the Remote Connect menu.

From the Remote Connect screen:

Click the Connect button next to the profile.



  • Reboot the hardware, including the Cradlepoint router and its client serial device.
  • Reseat the connectors.
  • Disable/re-enable the Serial Redirect feature on the Cradlepoint router.
  • Ensure you are able to access your device’s console directly through the USB-to-Serial adapter.
  • Check the RS232 settings on your device and make sure they match.
Share Article: