Solved: Re: SCP error

patrickdonlon · ‎01-05-2009

I'm trying to upgrade a router with CiscoWorks RME using SCP. It fails and says " SCP: [22 -> x.x.x.x:28475] send Privilege denied.".

The privilege level for this user is 15. I have checked the firewall and it's not blocking the traffic. Any ideas on where the privilege denied comes from? Thanks.

Joe Clarke · ‎01-05-2009

Here is a sample TACACS+ config:

! AAA authentication and authorization must be configured properly for SCP to work.

aaa new-model

aaa authentication login default group tacacs+

aaa authorization exec default group tacacs+

! SSH must be configured and functioning properly.

ip ssh time-out 120

ip ssh authentication-retries 3

ip scp server enable

See http://www.cisco.com/en/US/docs/ios/12_2t/12_2t2/feature/guide/ftscp.html for more details.

View solution in original post

Joe Clarke · ‎01-05-2009

What does your config look like? For SCP, you need a standard SSH config (which grants the user level 15 access) as well as:

ip scp server enable

What I typically use for local authentication and authorization is:

aaa new-model

aaa authentication login default local

aaa authorization exec default local none

username USER privilege 15 password PASS

ip scp server enable

patrickdonlon · ‎01-05-2009

Here's my aaa config, I'm using authorization but I don't see any logs in my ACS when RME attempts to use SCP.

aaa authentication login default group tacacs+ local enable

aaa authentication enable default line group tacacs+ enable

aaa authorization config-commands

aaa authorization commands 15 default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

ip ssh version 2

ip scp server enable

Joe Clarke · ‎01-05-2009

You need to be using exec-level authorization. You have authorization only for config-commands and commands. See my example config.

[Edit]

When the user logs in, they should be immediately dropped to a '#' prompt. The "show privilege" command should indicate they have level 15 access.

Joe Clarke · ‎01-05-2009

Here is a sample TACACS+ config:

! AAA authentication and authorization must be configured properly for SCP to work.

aaa new-model

aaa authentication login default group tacacs+

aaa authorization exec default group tacacs+

! SSH must be configured and functioning properly.

ip ssh time-out 120

ip ssh authentication-retries 3

ip scp server enable

See http://www.cisco.com/en/US/docs/ios/12_2t/12_2t2/feature/guide/ftscp.html for more details.

patrickdonlon · ‎01-06-2009

Thanks Joe, this was exactly what was missing,

aaa authorization exec default group tacacs+,

it now works perfectly.

grim · ‎03-23-2016

For non-TACACS configs, this config also works:

aaa authorization exec default local if-authenticated

deependra8010 · ‎12-09-2018

Hi JOY,

I am also facing same problem.Actually, when I try to run SCP command from CMD it is showing privilege denied. I have configure device according to your post.

we are using ACS tacacs server for aaa, have privilege 15 access also.

we have logged in the device using SSH successfully.

ERROR:-C:\Users\Administrator>scp spectrum@10.192.10.97:running-config .
password:
Authentication succeeded. Your password will expire in 1 weeks + 1 days + 3 hou
rs + 31 Minutes
Privilege denied.
Connection to 10.192.10.97 closed by remote host.

Please provide the solution ASAP.

Regards

Deependra

iacobansilviu1 · ‎01-16-2024

You also need to make sure you have enabled aaa authentication and authorization on the vty lines.