• AVI Controller Authentication

• Local 'admin' user account

• User-Account-Profile with a credentials_timeout_threshold

• The root cause of this issue is the expiration of the local 'admin' user's password, as defined by the credentials_timeout_threshold parameter within the Default-User-Account-Profile. The provided profile snippet confirms "credentials_timeout_threshold": 180, meaning the password for local accounts associated with this profile expires every 180 days.

To successfully resolve the "User credentials have expired" error and restore full access for the 'admin' user, the password must be changed using the UserAccount API. This method ensures that the credential expiration flag is properly cleared, allowing UI login and CLI configuration.

• Step1: Log in to the Controller CLI as the admin user (you will still be blocked from shell commands immediately after login, but this initial login is required for sudo).

  admin@:~$ sudo -i
  [sudo] password for admin: <Enter-Current-Admin-Password>
  

  This will grant you root access, indicated by the prompt changing to root@<Controller-IP>:~#.

• Execute the API Call to Change Password: Use the curl command to send a PUT request to the /api/useraccount endpoint. Replace <Controller-IP>, Current-Password, and New-Password with your specific details. Ensure Current-Password is the current password for the admin account (even if expired).
  
  

  root@:~# curl -k -u admin:Current-AdminUser-Password -X PUT https://<Controller-IP>/api/useraccount --insecure -H "Content-Type: application/json" -H "X-Api-Version: <Controller-Version>" -d '{"full_name":"System Administrator","name":"admin","username":"admin","email":"","local":true,"is_superuser":true,"old_password":"Current-Password","password":"New-Password","confirm_password":"New-Password"}'
  

   

  • -k or --insecure: Allows insecure server connections when using SSL/TLS (disables certificate verification). Use with caution in production, but often necessary for initial API access on controllers without trusted certificates.

  • -u admin:Current-Password: Specifies the username and current password for authentication.

  • -X PUT: Specifies the HTTP method as PUT, used for updating resources.

  • -H "Content-Type: application/json": Sets the request header to indicate that the body content is JSON.

  • -H "X-Api-Version: ": Specifies the API version. Adjust this if your Controller version is different.

  • -d '...': Provides the JSON payload containing the user details, including old_password, password, and confirm_password.

• Verify Access: After the curl command completes successfully (you should receive a JSON response indicating success, not an error), you should be able to:

  • Log in to the AVI Controller UI using the admin username and the New-Password.

    • Access the CLI shell without the "Your password has expired. Configuration is now blocked." message, allowing full command execution.