SCP error

Answered Question
Jan 5th, 2009
User Badges:

I'm trying to upgrade a router with CiscoWorks RME using SCP. It fails and says " SCP: [22 -> x.x.x.x:28475] send Privilege denied.".


The privilege level for this user is 15. I have checked the firewall and it's not blocking the traffic. Any ideas on where the privilege denied comes from? Thanks.

Correct Answer by Joe Clarke about 8 years 4 months ago

Here is a sample TACACS+ config:


! AAA authentication and authorization must be configured properly for SCP to work.


aaa new-model


aaa authentication login default group tacacs+


aaa authorization exec default group tacacs+


! SSH must be configured and functioning properly.


ip ssh time-out 120


ip ssh authentication-retries 3


ip scp server enable



See http://www.cisco.com/en/US/docs/ios/12_2t/12_2t2/feature/guide/ftscp.html for more details.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Joe Clarke Mon, 01/05/2009 - 09:28
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

What does your config look like? For SCP, you need a standard SSH config (which grants the user level 15 access) as well as:


ip scp server enable


What I typically use for local authentication and authorization is:


aaa new-model

aaa authentication login default local

aaa authorization exec default local none

username USER privilege 15 password PASS

ip scp server enable

patrickdonlon Mon, 01/05/2009 - 23:05
User Badges:

Here's my aaa config, I'm using authorization but I don't see any logs in my ACS when RME attempts to use SCP.


aaa authentication login default group tacacs+ local enable

aaa authentication enable default line group tacacs+ enable

aaa authorization config-commands

aaa authorization commands 15 default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+


ip ssh version 2

ip scp server enable

Joe Clarke Mon, 01/05/2009 - 23:07
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

You need to be using exec-level authorization. You have authorization only for config-commands and commands. See my example config.


[Edit]


When the user logs in, they should be immediately dropped to a '#' prompt. The "show privilege" command should indicate they have level 15 access.

Correct Answer
Joe Clarke Mon, 01/05/2009 - 23:12
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Here is a sample TACACS+ config:


! AAA authentication and authorization must be configured properly for SCP to work.


aaa new-model


aaa authentication login default group tacacs+


aaa authorization exec default group tacacs+


! SSH must be configured and functioning properly.


ip ssh time-out 120


ip ssh authentication-retries 3


ip scp server enable



See http://www.cisco.com/en/US/docs/ios/12_2t/12_2t2/feature/guide/ftscp.html for more details.

patrickdonlon Tue, 01/06/2009 - 02:36
User Badges:

Thanks Joe, this was exactly what was missing,

aaa authorization exec default group tacacs+,

it now works perfectly.


grim Wed, 03/23/2016 - 17:50
User Badges:

For non-TACACS configs, this config also works:

aaa authorization exec default local if-authenticated


Actions

This Discussion