Default System Accounts

Avi Vantage inherently comes with several user accounts created.  These accounts serve specific purposes, and unlike custom user accounts, they may not be deactivated or removed.


  • This account exists on both the Avi Controller and Avi Service Engine
  • It is the default administrator user-name for the system and cannot be changed
  • Default shell is Linux bash
    • From Linux prompt, use shell command to access Avi CLI shell
    • admin is the only account whose Avi password is automatically synchronized with Linux
  • Admin account is associated with super-user role in the Controller
  • User is in sudoers list
  • Default password for admin user: Starting with the 17.2.2 release of Avi Vantage, the initial default password of the admin user of Avi Controller has been changed from admin to a strong password. This password will be available in the Avi Networks portal where release images are uploaded, accessible only to customers having an account on the portal. Additionally, SSH access to the Controller with this default password is not allowed until the user changes the default password of the admin user. Once the password is changed, SSH access to the admin user will be permitted. For more information, refer to Strong Default Admin Password
    • Password is synchronized to the SEs
  • Account has super-user status, with full access to all tenants
  • This account is always authenticated via local user-db.  It does not use any configured remote authentication


  • Used to launch the CLI shell by logging into Avi Controller.  User will SSH to a Controller IP address, use cli as the username at the Linux prompt, then be presented with the Avi CLI shell access username and password prompt, which requires their custom credentials
  • Password-less from the Linux perspective with the CLI shell as the default shell that prompts for a username/password
  • CLI shell is launched in a container with no persistent storage


  • This account exists on Controller and SE
  • Internal user for SE-to-Controller communication via SSH tunnel
  • No password. Uses unique key-pair per SE
  • User is not in sudoers list on the Controller
  • User is in sudoers list on the SEs


  • This account exists on Controller only
  • Internal user for Controller-to-Controller communication via SSH
  • No password. Uses unique key-pair per Controller
  • User is in sudoers list