01-05-2009 05:46 AM
I'm trying to upgrade a router with CiscoWorks RME using SCP. It fails and says " SCP: [22 -> x.x.x.x:28475] send Privilege denied.".
The privilege level for this user is 15. I have checked the firewall and it's not blocking the traffic. Any ideas on where the privilege denied comes from? Thanks.
Solved! Go to Solution.
01-05-2009 11:12 PM
Here is a sample TACACS+ config:
! AAA authentication and authorization must be configured properly for SCP to work.
aaa new-model
aaa authentication login default group tacacs+
aaa authorization exec default group tacacs+
! SSH must be configured and functioning properly.
ip ssh time-out 120
ip ssh authentication-retries 3
ip scp server enable
See http://www.cisco.com/en/US/docs/ios/12_2t/12_2t2/feature/guide/ftscp.html for more details.
01-05-2009 09:28 AM
What does your config look like? For SCP, you need a standard SSH config (which grants the user level 15 access) as well as:
ip scp server enable
What I typically use for local authentication and authorization is:
aaa new-model
aaa authentication login default local
aaa authorization exec default local none
username USER privilege 15 password PASS
ip scp server enable
01-05-2009 11:05 PM
Here's my aaa config, I'm using authorization but I don't see any logs in my ACS when RME attempts to use SCP.
aaa authentication login default group tacacs+ local enable
aaa authentication enable default line group tacacs+ enable
aaa authorization config-commands
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
ip ssh version 2
ip scp server enable
01-05-2009 11:07 PM
You need to be using exec-level authorization. You have authorization only for config-commands and commands. See my example config.
[Edit]
When the user logs in, they should be immediately dropped to a '#' prompt. The "show privilege" command should indicate they have level 15 access.
01-05-2009 11:12 PM
Here is a sample TACACS+ config:
! AAA authentication and authorization must be configured properly for SCP to work.
aaa new-model
aaa authentication login default group tacacs+
aaa authorization exec default group tacacs+
! SSH must be configured and functioning properly.
ip ssh time-out 120
ip ssh authentication-retries 3
ip scp server enable
See http://www.cisco.com/en/US/docs/ios/12_2t/12_2t2/feature/guide/ftscp.html for more details.
01-06-2009 02:36 AM
Thanks Joe, this was exactly what was missing,
aaa authorization exec default group tacacs+,
it now works perfectly.
03-23-2016 05:50 PM
For non-TACACS configs, this config also works:
aaa authorization exec default local if-authenticated
12-09-2018 10:21 PM - edited 12-09-2018 10:26 PM
Hi JOY,
I am also facing same problem.Actually, when I try to run SCP command from CMD it is showing privilege denied. I have configure device according to your post.
we are using ACS tacacs server for aaa, have privilege 15 access also.
we have logged in the device using SSH successfully.
ERROR:-C:\Users\Administrator>scp spectrum@10.192.10.97:running-config .
password:
Authentication succeeded. Your password will expire in 1 weeks + 1 days + 3 hou
rs + 31 Minutes
Privilege denied.
Connection to 10.192.10.97 closed by remote host.
Please provide the solution ASAP.
Regards
Deependra
01-16-2024 04:35 AM
You also need to make sure you have enabled aaa authentication and authorization on the vty lines.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: