Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SCP error

I'm trying to upgrade a router with CiscoWorks RME using SCP. It fails and says " SCP: [22 -> x.x.x.x:28475] send Privilege denied.".

The privilege level for this user is 15. I have checked the firewall and it's not blocking the traffic. Any ideas on where the privilege denied comes from? Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: SCP error

Here is a sample TACACS+ config:

! AAA authentication and authorization must be configured properly for SCP to work.

aaa new-model

aaa authentication login default group tacacs+

aaa authorization exec default group tacacs+

! SSH must be configured and functioning properly.

ip ssh time-out 120

ip ssh authentication-retries 3

ip scp server enable

See http://www.cisco.com/en/US/docs/ios/12_2t/12_2t2/feature/guide/ftscp.html for more details.

6 REPLIES
Cisco Employee

Re: SCP error

What does your config look like? For SCP, you need a standard SSH config (which grants the user level 15 access) as well as:

ip scp server enable

What I typically use for local authentication and authorization is:

aaa new-model

aaa authentication login default local

aaa authorization exec default local none

username USER privilege 15 password PASS

ip scp server enable

New Member

Re: SCP error

Here's my aaa config, I'm using authorization but I don't see any logs in my ACS when RME attempts to use SCP.

aaa authentication login default group tacacs+ local enable

aaa authentication enable default line group tacacs+ enable

aaa authorization config-commands

aaa authorization commands 15 default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

ip ssh version 2

ip scp server enable

Cisco Employee

Re: SCP error

You need to be using exec-level authorization. You have authorization only for config-commands and commands. See my example config.

[Edit]

When the user logs in, they should be immediately dropped to a '#' prompt. The "show privilege" command should indicate they have level 15 access.

Cisco Employee

Re: SCP error

Here is a sample TACACS+ config:

! AAA authentication and authorization must be configured properly for SCP to work.

aaa new-model

aaa authentication login default group tacacs+

aaa authorization exec default group tacacs+

! SSH must be configured and functioning properly.

ip ssh time-out 120

ip ssh authentication-retries 3

ip scp server enable

See http://www.cisco.com/en/US/docs/ios/12_2t/12_2t2/feature/guide/ftscp.html for more details.

New Member

Re: SCP error

Thanks Joe, this was exactly what was missing,

aaa authorization exec default group tacacs+,

it now works perfectly.

New Member

For non-TACACS configs, this

For non-TACACS configs, this config also works:

aaa authorization exec default local if-authenticated

8702
Views
10
Helpful
6
Replies