Recovering Cisco APIC Passwords and Accessing Special Logins

This chapter explains how to recover your Cisco APIC password, how to access the rescue-user login to run troubleshooting commands, including the command for erasing the configuration, and how to access a hidden login domain that allows you to log in using the local user database in case of a lockout.

This chapter contains the following sections:

Recovering the APIC Password

For Cisco APIC Release 5.3 or 6.0 or later, contact Cisco TAC to recover the Cisco Application Policy Infrastructure Controller (APIC) password. You cannot recover the password on your own.

Follow these steps to recover the APIC password.

Procedure

Step 1	Create and save an empty file named "aci-admin-passwd-reset.txt".
Step 2	Add the file to a USB drive. You can format the USB drive to FAT or FAT32.
Step 3	Connect the USB drive to one of the rear USB ports on the Cisco APIC.
Step 4	Reboot the Cisco APIC using Cisco Integrated Management Controller (CIMC) or by hard power cycling the device.
Step 5	Press the Esc key during the 10-second countdown timer that appears at the top left to bring up the list of boot targets.
Step 6	Press the e key to edit the default grub line.
Step 7	Go to the line that begins with "linux." Using the End key or Right Arrow key, move the cursor to the end of that line and append "aci-admin-passwd-reset".
Step 8	Press Ctrl+X to boot the entry. It may take a few minutes for the new password to take effect.

Using the Rescue-user Account to Erase the Cisco APIC Configuration Using the NX-OS Style CLI

The rescue-user is an emergency login that provides access to the Cisco APIC even when it is not in a cluster. You can use this login to run troubleshooting commands including erasing the configuration.

Note

For a standby Cisco APIC, you can log in using SSH with the username "rescue-user" and no password. If the standby Cisco APIC was previously part of a fabric, the "rescue-user" account will retain the old administrator password, unless the operating system is re-installed using the keyboard, video, mouse (KVM) console.

Procedure

Step 1

Access the APIC using the Cisco Integrated Management Controller (CIMC) console.

Step 2

Note

If an admin password is in place and the Cisco APIC is logged onto the fabric, the rescue-user password is the same as the admin password. Otherwise there is no rescue-user password.

Step 3

Use the acidiag touch command to clear the configuration.

Example:


apic1# acidiag touch setup

Using the Fallback Login Domain to Log in to the Local Database

There is a hidden login domain named "fallback" that allows you to log in using the local user database in case of lockout. The format of the username used for the authentication method is apic#fallback\\<username>.

Procedure

Step 1

Use the fallback login domain to log in to the local database in the GUI or log in to the fallback login domain using the NX-OS-style CLI, shown as follows:

apic1(config)# aaa authentication login domain fallback
apic1(config-domain)# ?
group Set provider group for login domain
realm Specify server realm

Step 2

Optionally, you can instead use the REST API to log in to the fallback login domain, shown as follows:

URL: https://ip_address/api/aaaLogin.xml

DATA:

<aaaUser name="apic#fallback\\admin"
pwd="passwordhere"/>

Cisco APIC Troubleshooting Guide, Release 4.0(1)

Bias-Free Language

Book Title

Cisco APIC Troubleshooting Guide, Release 4.0(1)

Chapter Title