Showing results for 
Search instead for 
Did you mean: 
Field Notice 70545
Mohamed Roushdy

Can't login to UCS neither with admin nor LDAP



We have Cisco UCS 6200 series, I was configuring LDAP on it, and I guess I've missed it up, I've created a local domain, changed the native authentication from "local" to LDAP, saved and logged out to test LDAP user authentication, but all failed to login, I can no longer login using the local "admin" account neither from GUI nor SSH.


How could I revert this back please?


Accepted Solutions

Maybe try breaking into the bootloader again on the console, login as admin, then:

UCS-A# scope security
UCS-A /security # scope console-auth
UCS-A /security/console-auth # set realm local
UCS-A# scope security
UCS-A /security # scope default-auth
UCS-A /security/console-auth # set realm local

Let's see if that forces the auth back to the local users accounts database.




View solution in original post

Kirk J
Cisco Employee


Do you have access to the console?

If so, you should be able to login via console, and set the default-auth, realm to local again.

Usually recommend leaving the console auth set to local.


As far as login attempts, are you using following syntax:

* From Linux / MAC machine

ssh ucs-<domain-name>\\<username>@<UCSM-IP-Address>

ssh -l ucs-<domain-name>\\<username> <UCSM-IP-address>

ssh <UCSM-IP-address> -l ucs-<domain-name>\\<username>


* From putty client

Login as: ucs-<domain-name>\<username>

NOTE Domain name is case sensitive and should match the domain-name configured in UCSM.


*Borrowing syntax from previous post at




Thanks for responding.


I can't login at all from anywhere, I've even tried the syntax you sent earlier today, but didn't work for both types of accounts.


Do you have anyway to block your UCSM mgmt ports from reaching ldap servers?

See if your local logins work, if the ldap servers aren't reachable from the UCSM (may need to add some temp acls on your upstream mgmt switch the FI mgmt ports plug into.

I guess you could unplug your 1 Gb mgmt ports, while trying to do console test (this may trigger cluster lead failover).

You're at a point you may need to open a TAC case.


As you've indicated you can't login via console, I'm assuming you adjusted your default auth for the console as well... We don't recommend doing that, for the very reason you are experiencing....




I've tried disconnecting the cables and connect a laptop directly to it, but didn't even work, I've even tried rebooting the FI, but didn't help. I didn't knew that it's not recommended to change from local to LDAP, I was just trying to troubleshoot why LDAP isn't working in the first place.


Unfortunately we have no longer gave support contract for that product, is there any other method rather than destroying the fabric settings please?

If all else fails, follow this procedure to log back in:


Instead of following the standard password recovery procedure, only power cycle the subordinate fabric interconnect, break into loader prompt, load the kickstart image and change the password. You are not required to remove the L1-L2 cables.


  • Step 1 Connect to the console port.


  • Step 2 Power cycle the fabric interconnect: a) Turn off the power to the fabric interconnect. Cisco UCS Manager CLI Configuration Guide, Release 2.2 2 Recovering a Lost Password Determining the Leadership Role of a Fabric Interconnect b) Turn on the power to the fabric interconnect.


  • Step 3 In the console, press one of the following key combinations as it boots to get the loader prompt: • Ctrl+l • Ctrl+Shift+r You may need to press the selected key combination multiple times before your screen displays the loader prompt.


  • Step 4 Boot the kernel firmware version on the fabric interconnect. loader > boot /installables/switch/ kernel_firmware_version Example: loader > boot /installables/switch/ucs-6100-k9-kickstart.4.1.3.N2.1.0.11.gbin


  • Step 5 Enter config terminal mode. Fabric(boot)# config terminal


  • Step 6 Reset the admin password. Fabric(boot)(config)# admin-password password Choose a strong password that includes at least one capital letter and one number. The password cannot be blank. The new password displays in clear text mode.


  • Step 7 Exit config terminal mode and return to the boot prompt.


  • Step 8 Boot the system firmware version on the fabric interconnect. Fabric(boot)# load /installables/switch/ system_firmware_version Example: Fabric(boot)# load /installables/switch/ucs-6100-k9-system.4.1.3.N2.1.0.211.bin


Now when the subordinate boots up, log into it via CLI with your new password and create a user.


The following example creates the user account named kikipopo, enables the user account, sets the password to foo12345, and commits the transaction:

UCS-A# scope security
UCS-A /security # create local-user kikipopo
UCS-A /security/local-user* # set account-status active
UCS-A /security/local-user* # set password
Enter a password:
Confirm the password:
UCS-A /security/local-user* # commit-buffer
UCS-A /security/local-user # 

If required, assign an admin, operations, etc role to the new user.


The following example assigns the operations role to the kikipopo local user account and commits the transaction:

UCS-A# scope security
UCS-A /security # scope local-user kikipopo
UCS-A /security/local-user # create role operations
UCS-A /security/local-user* # commit-buffer
UCS-A /security/local-user # 

**You can use this newly created user to login to UCSM via Virtual IP address and change the 'admin' user password that was lost. Once this is complete, the new password will sync to the subordinate.**

Ok, I've got my self a console cable, hocked it up, got connected, opened the loader very successfully, however, I couldn't figure out what is my kickstart image full name :((((


Pardon me, I am not so familiar with the device, how can I get the image name to be able to load it?

What version of UCSM are you running?

I have an update.


I ran "dir" to get the loaded image, booted it and followed your instructions and here's what happened:

  1. I connected my self to FI-B (which is supposed to be the subordinate).
  2. changed the "admin" password, rebooted FI and were able to login successfully.
  3. created a new used and assigned the "admin" role to it.
  4. connected a UTP cable to the management interface of FI-A (which is the primary node).
  5. SSHed to it with the new user and i logged in very successfully.
  6. got to my office to connect via the web interface, but failed to login with the new user (i am asked to choose a domain by the way, one of them is called "native").
  7. failed to SSH to FI-A with neither admin nor the new user account.


Now what :)