https://community.cisco.com/t5/network-access-control/privilege-level-for-scp/m-p/180322#M438132 <HTML><HEAD></HEAD><BODY><P>Thanks Mynul. Actually "nvram" and "scp" are not valid commands\parameters and cannot be used with the "privilege" command.</P><P>I would open a TAC case for this.</P><P></P><P>Regards \\ Naman</P></BODY></HTML> Wed, 28 May 2003 15:16:14 GMT mnlatif 2003-05-28T15:16:14Z https://community.cisco.com/t5/network-access-control/privilege-level-for-scp/m-p/180316#M438122 <P>Hi,</P><P>I want to allow a user to upload\download files remotely to\from a Cisco Router using Secure Copy (SCP) and SSH.</P><P>However it doesn't work unless i give the user a Privilege level of 15.</P><P></P><P>Does anyone know, if this can work with a Custom Privilege Level ? What commands should i include in that Privilege level ?</P><P></P><P>Regards \\ Naman</P> Sun, 10 Mar 2019 14:18:54 GMT https://community.cisco.com/t5/network-access-control/privilege-level-for-scp/m-p/180316#M438122 mnlatif 2019-03-10T14:18:54Z https://community.cisco.com/t5/network-access-control/privilege-level-for-scp/m-p/180317#M438123 <HTML><HEAD></HEAD><BODY><P>Hi Naman,</P><P></P><P>Based on your description, looks like you want to do it locally on the router. I haven't tested this but I think it will work. Basically, with priv-level 2-14, you can go to the exec mode, which is the minimum requirement for scp to work. Now, "copy" command is a priv-level 15 command. So, you need to bring that command down to level 2-14 level. So, if you can accomplish that then it will work. So, here is what it requires for the user configuration:</P><P></P><P>Username admin7 priv 7 pass admin7 </P><P>privilege exec level 7 copy</P><P>privilege exec level 7 scp &lt;--This may not be needed</P><P></P><P>Here is a great doc on SCP:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087b18.html#1023544" target="_blank">http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087b18.html#1023544</A></P><P></P><P>I hope this helps ! Thanks,</P><P></P><P>Mynul</P></BODY></HTML> Mon, 26 May 2003 19:20:46 GMT https://community.cisco.com/t5/network-access-control/privilege-level-for-scp/m-p/180317#M438123 mhoda 2003-05-26T19:20:46Z https://community.cisco.com/t5/network-access-control/privilege-level-for-scp/m-p/180318#M438125 <HTML><HEAD></HEAD><BODY><P>Hi Mynul,</P><P>Thanks for the info. However my problem wasa bit different, what i want is</P><P></P><P>1. To have a User remotely "Pull" the config FROM the router using SCP.</P><P></P><P>e.g. Use SCP from a LINUX box to download the Router config.</P><P></P><P>This works if i use a username that has Privilege 15, however it doesn't work with any other privilege level (i also tried your suggestion but it didn't work).</P><P></P><P>Regards \\ Naman</P></BODY></HTML> Tue, 27 May 2003 16:18:18 GMT https://community.cisco.com/t5/network-access-control/privilege-level-for-scp/m-p/180318#M438125 mnlatif 2003-05-27T16:18:18Z https://community.cisco.com/t5/network-access-control/privilege-level-for-scp/m-p/180319#M438127 <HTML><HEAD></HEAD><BODY><P>Hey Naman,</P><P></P><P>If you can provide me the commands thats getting executed on the router when you pull the config on Linux box, I can help defining the user. Did you try to put the "pull" along with "copy" in your customised priv level to see if that helps.</P><P></P><P>Thanks,</P><P></P><P>Mynul</P></BODY></HTML> Tue, 27 May 2003 16:50:40 GMT https://community.cisco.com/t5/network-access-control/privilege-level-for-scp/m-p/180319#M438127 mhoda 2003-05-27T16:50:40Z https://community.cisco.com/t5/network-access-control/privilege-level-for-scp/m-p/180320#M438129 <HTML><HEAD></HEAD><BODY><P>Hi Mynul,</P><P>I don't know, how i can see the commands being executed on the router. "Debug ip ssh" trace looks exactly the similar for Working\Non-Working scenarios.</P><P></P><P>On the Linux Box, below is the working scenario </P><P>++++++++++++++++++++++++++++++++++++++++++=</P><P></P><P>[nlatif@naman nlatif]$ scp scp1@naman-router:nvram:startup-config naman.readme</P><P>scp1@naman-router's password: </P><P>startup-config 100% |**********************************| 6081 00:00 </P><P></P><P>++++++++++++++++++++++++++++++++++++++++++</P><P></P><P>And this is the Non-Working Scenario</P><P></P><P>++++++++++++++++++++++++++++++++++++++</P><P>[nlatif@naman nlatif]$ scp scp@naman-router:nvram:startup-config naman.readme</P><P>scp@naman-router's password: </P><P>Privilege denied.</P><P>+++++++++++++++++++++++++++++++++++++++</P><P></P><P>The relevant router config is</P><P></P><P>aaa new-model</P><P>!</P><P>aaa authentication login default local</P><P>aaa authorization exec default local </P><P></P><P></P><P>username scp1 privilege 15 secret 5 xxxxxxxx</P><P>username scp privilege 5 secret 5 xxxxxxxxx</P><P></P><P>privilege exec level 5 copy</P><P>++++++++++++++++++++++++++++++++++++++++++++</P><P></P><P>Also if i login to the router using "scp", i can Upload a config from the router to the Linux box using SCP. Its only that remote download doesn't work for a user with a lower privilege level than 15.</P><P></P></BODY></HTML> Tue, 27 May 2003 18:40:59 GMT https://community.cisco.com/t5/network-access-control/privilege-level-for-scp/m-p/180320#M438129 mnlatif 2003-05-27T18:40:59Z https://community.cisco.com/t5/network-access-control/privilege-level-for-scp/m-p/180321#M438131 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Only other suggestion I can provide is to add the following into the config:</P><P></P><P>privilege exec level 5 nvram</P><P>privilege exec level 5 scp</P><P> </P><P>Along with :</P><P></P><P>privilege exec level 5 copy </P><P></P><P>If that doesn't work, then I guess the best would be contact TAC to open up an enhancement request as it appears that machines are directly talking to the scp server without executing any commands on exec mode. Otherwise, with the above lines it should work.</P><P></P><P>Thanks,</P><P></P><P>Mynul</P><P></P></BODY></HTML> Wed, 28 May 2003 05:05:05 GMT https://community.cisco.com/t5/network-access-control/privilege-level-for-scp/m-p/180321#M438131 mhoda 2003-05-28T05:05:05Z https://community.cisco.com/t5/network-access-control/privilege-level-for-scp/m-p/180322#M438132 <HTML><HEAD></HEAD><BODY><P>Thanks Mynul. Actually "nvram" and "scp" are not valid commands\parameters and cannot be used with the "privilege" command.</P><P>I would open a TAC case for this.</P><P></P><P>Regards \\ Naman</P></BODY></HTML> Wed, 28 May 2003 15:16:14 GMT https://community.cisco.com/t5/network-access-control/privilege-level-for-scp/m-p/180322#M438132 mnlatif 2003-05-28T15:16:14Z https://community.cisco.com/t5/network-access-control/privilege-level-for-scp/m-p/4606829#M574634 <P>Dear mnlatif,</P><P>&nbsp;</P><P>Sorry to resurrect this old topic but i facing the same issue.</P><P>&nbsp;</P><P>Does it solved for you ? Or do you opened a tac case ?</P><P>&nbsp;</P><P>Thanks for your time.</P> Mon, 09 May 2022 12:15:26 GMT https://community.cisco.com/t5/network-access-control/privilege-level-for-scp/m-p/4606829#M574634 bendeguz.kovacs1 2022-05-09T12:15:26Z https://community.cisco.com/t5/network-access-control/privilege-level-for-scp/m-p/5136340#M590262 <P>Hello all,</P> <P>&nbsp;</P> <P>Did you found a solution, I'm also facing the exact same issue.<BR /><BR /><BR />Kind regards,<BR />CT.</P> Wed, 26 Jun 2024 12:44:10 GMT https://community.cisco.com/t5/network-access-control/privilege-level-for-scp/m-p/5136340#M590262 Cedric T. 2024-06-26T12:44:10Z