Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

SCP

Greetings,

I'm trying to get Secure Copy (SCP) working to a Cisco switch configured to authenticate access via TACACS+ off Cisco ACS.

I've read the SCP documentation (http://www.cisco.com/en/US/customer/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087b18.html) and enabled SSH and SCP as described. I can SSH into the switch without a problem.

However, when I try and use scp from a unix workstation to copy startup-config (scp craig@192.168.100.20:nvram/startup-config startup-config) I get the error "Privilege denied."

I assume that this is because the user "craig" (configured in Cisco ACS) needs to "enable" to get to privilege 15 in order to access the file "nvram:startup-config".

The examples in the SCP configuration document uses a local privilege 15 user (username superuser privilege 2 password 0 superpassword) which does not need to "enable".

How do you achieve this using Cisco ACS? I can't find anywhere is Cisco ACS to configure a user to have privilege 15 by default. Am I missing something?

Any help would be greatly appreciated.

Craig

  • LAN Switching and Routing
1 REPLY

Re: SCP

About 10 minutes after posting this problem I figured out the solution myself.

In Cisco ACS | Group Setup | Edit Settings | TACACS Settings check Privilege level and set it to 15.

This only works if the following AAA configuration line is also present on the Catalyst device:

aaa authorization exec default group tacacs+

1355
Views
0
Helpful
1
Replies
This widget could not be displayed.