Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1669
Views
0
Helpful
3
Replies

SCP support on 2801 router

kurtdeneef
Level 1
Level 1

‎12-14-2005 04:15 AM - edited ‎03-10-2019 02:24 PM

ello,

To perform configuration change management, I need to setup scp

connection to our cisco router.

Cisco Router 2801

IOS Version 12.3(14)T4

I have enabled ssh on the router as described below.

Current configuration : 7482 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname izdmzrtr2

!

boot-start-marker

boot system flash c2801-advsecurityk9-mz[1].123-14.T4.bin

boot-end-marker

!

logging buffered 51200 warnings

!

aaa new-model

!

!

aaa group server radius ogone

server x.x.x.x auth-port 1645 acct-port 1646

server x.x.x.x auth-port 1645 acct-port 1646

!

aaa authentication login default group radius local

!

aaa session-id common

!

resource policy

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

ip cef

!

!

no ip dhcp use vrf connected

!

!

no ip ips deny-action ips-interface

no ip domain lookup

ip domain name ogone.prod

ip ssh version 2

ip scp server enable

ip sla monitor 1

type dns target-addr 212.23.32.66 name-server 212.23.32.66

ip sla monitor schedule 1 life forever start-time now

ip sla monitor 2

type dns target-addr 212.23.33.66 name-server 212.23.33.66

ip sla monitor schedule 2 life forever start-time now

ip sla monitor 3

type dns target-addr 213.200.89.89 name-server 213.200.89.89

ip sla monitor schedule 3 life forever start-time now

ip sla monitor 4

type dns target-addr 213.200.90.90 name-server 213.200.90.90

ip sla monitor schedule 4 life forever start-time now

ip sla monitor 5

type dns target-addr 212.23.32.66 name-server 212.23.32.66

ip sla monitor schedule 5 life forever start-time now

ip sla monitor 6

type dns target-addr 212.23.33.66 name-server 212.23.33.66

ip sla monitor schedule 6 life forever start-time now

ip sla monitor 7

type dns target-addr 213.200.89.89 name-server 213.200.89.89

ip sla monitor schedule 7 life forever start-time now

ip sla monitor 8

type dns target-addr 213.200.90.90 name-server 213.200.90.90

ip sla monitor schedule 8 life forever start-time now

!

no ftp-server write-enable

!

username xxxx privilege 15 secret xxxx

no crypto isakmp ccm

!

interface FastEthernet0/0

description Interface in VLAN19

ip address x.x.x.x 255.255.255.0

ip policy route-map ISP19

speed 100

full-duplex

standby 1 ip x.x.x.x

standby 1 priority 95

!

interface FastEthernet0/1

description Interface in VLAN18

ip address x.x.x.x 255.255.255.0

ip policy route-map ISP18

speed 100

full-duplex

standby 2 ip x.x.x.x

standby 2 priority 95

!

ip classless

ip route x.x.x.x 255.255.255.0 x.x.x.x

ip route x.x.x.x 255.255.255.0 x.x.x.x

ip route x.x.x.x 255.255.255.0 x.x.x.x

ip route 212.23.32.66 255.255.255.255 x.x.x.x

ip route 212.23.33.66 255.255.255.255 x.x.x.x

ip route 213.200.89.89 255.255.255.255 x.x.x.x

ip route 213.200.90.90 255.255.255.255 x.x.x.x

!

no ip http server

no ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

!

radius-server host x.x.x.x auth-port 1645 acct-port 1646 key xxxxxxxxxx

radius-server host x.x.x.x auth-port 1645 acct-port 1646 key xxxxxxxxxx

!

control-plane

!

line con 0

line aux 0

line vty 0 4

privilege level 15

transport input ssh

!

end

ssh connection is OK but all scp connections failed.

i already added "ip scp server enable" but it didn't change anything.

Anyone who has a suggestion? I'm not familiar with this config.

Thanks in advance,

Kurt

Labels:
0 Helpful
3 Replies 3

crose
Level 1
Level 1

‎12-14-2005 10:39 AM

Kurt. I'm trying to do the same thing on a 3745. This much I know. You have to have aaa autorization turned on for this to work. if you turn on the debug(debug ip scp) , you will probably see your router deny it based on no authorization. You can use either tacacs+ or local authentication for the auth. But I know for a fact SCP will not work without it. here is a good reference..

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00804831d0.html

0 Helpful

kurtdeneef
Level 1
Level 1
In response to crose

‎12-15-2005 12:45 AM

Hi There,

I have tried with local authentication & authorization. It works.

But not with radius authentication & authorization.

From, what I understand, it seems that the config is ok on the router but it fails because the user is not correctly authorized by radius (aaa authentication works fine but not aaa authorization).

Do you know which radius parameter, the cisco router expect to receive from the radius server?

I have enabled scp and aaa authorization debug and i got the following error:

*Dec 14 17:51:11.078: SCP: [22 <- 10.1.4.193:1909] recv

*Dec 14 17:51:11.078: SCP: [22 -> 10.1.4.193:1909] send Privilege denied.

*Dec 14 17:51:15.602: AAA/BIND(0000004B): Bind i/f

*Dec 14 17:51:15.618: AAA/AUTHOR/EXEC(0000004B): Authorization successful

*Dec 14 17:51:15.618: AAA/AUTHOR (0000004B): Method list id=0 not configured. Skip author

any idea what this means?

Is there a parameter missing in the config?

Kurt

0 Helpful

kurtdeneef
Level 1
Level 1
In response to kurtdeneef

‎12-15-2005 01:08 AM

Problem solved.

Config is ok now but i forgot to provide the privilege level for that user on the radius server.

the router is expecting to get this parameter from the radius server before granting authorization to that user.

0 Helpful
Customers Also Viewed These Support Documents