APIC Controller: Password Recovery

This article covers the process of how to perform a password recovery an APIC Controller Switch for which you do not have the correct credentials. If you are looking for how to perform password recovery on an your ACI Fabric Switches (Leafs/Spines), take a look here!

Prerequisites

• You will need physical access to the device
• You will need CIMC-KVM, CIMC-SOL, or console access to the device. If you have CIMC access to the device, I’d recommend using the Serial-Over-Lan option.
• Before trying this procedure, I would try to use the rescue-user account on the APIC (if available, it will save a lot of time!). If an admin password has been set already previously, the ‘rescue-user’ login account will utilize the same password that was previously set for the admin account. For questions on the rescue-user account, check out the APIC Troubleshooting Guide on CCO, and search for “rescue-user”.
  • The rescue-user is an emergency login that provides access to the Cisco APIC even when it is not in a cluster. You can use this login to run troubleshooting commands including erasing the configuration.
  • For a standby Cisco APIC, you can log in using SSH with the username “rescue-user” and no password. If the standby Cisco APIC was previously part of a fabric, the “rescue-user” account will retain the old administrator password, unless the operating system is re-installed using the keyboard, video, mouse (KVM) console.

Caveats

You will need to physically remove the cables connected from the APIC to the Fabric Leaf switches. It is not enough to simply disable the connection; (i.e., shutting the interface). The APIC Controller Password Recovery process will fail if the cable from the APIC to the Fabric Leaf switches remains connected.

APIC Controller Password Recovery Process

1. Create and save an empty file named “aci-admin-passwd-reset.txt”.
2. Add the file to a USB drive.
3. Connect the USB drive to one of the rear USB ports on the Cisco APIC.
4. Disconnect the APIC (that the USB is plugged into) from the Fabric Leaf switches.
5. Reboot the APIC from the CIMC or by hard power cycling the device.
6. When the APIC displays the “Press any key to enter the menu” prompt, press a key to interrupt the boot process.
7. The APIC displays supported Linux versions. Highlight the version installed on your system and press ‘e’ to edit the commands before booting:

8. Press “e” a second time to edit the kernel command in the boot sequence:

9. Add the name of the empty file to the end of the command line:

10. Press Enter to save the file.
11. Press “b” to boot the APIC.
12. The APIC will boot up and prompt for a new administrator password.
13. Re-attach the APIC Controller back to the Fabric Leaf switches and allow a few minutes for the password to propagate to the rest of the fabric.

Alternate APIC Recovery Procedure

If the procedure above does not work, or you just want to try to recover your APIC via another method, the procedure below should allow you to wipe and recover your fabric. While this isn’t necessarily a “password recovery” procedure, it will allow you to perform the APIC setup process, which would include setting a new password.

1. Download your APIC ISO file from CCO (cisco.com).
2. Load the ISO image using your CIMC via attaching\mounting the .iso file
   1. Alternatively – you can boot the .iso file from a USB drive on the system.
3. After the APIC firmware is loaded and reboots, it should boot up fresh and run thru the setup script again.