Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12538
Views
13
Helpful
9
Replies

SCP Privilege denied - IOS-XE

opnineopnine
Level 1
Level 1

‎07-24-2018 11:30 AM - edited ‎03-08-2019 03:44 PM

Hello, 

 

Im getting the following error when I have to upload a file via scp to one of the IOS-XE. I think AAA can be the issue but not sure.

 

I configured in the router:

ip scp server enable, my user has privilege 15

 

AAA Configuration:

aaa authentication login aaa-tacacs-login group tacs-server local
aaa authorization exec aaa-tacacs-exec group tacs-server local 
aaa authorization commands 1 aaa-tacacs-cmm group tacs-server local 
aaa authorization commands 15 aaa-tacacs-cmm group tacs-server local 
aaa accounting exec aaa-tacacs-acc start-stop group tacs-server
aaa accounting commands 1 aaa-tacacs-acc start-stop group tacs-server
aaa accounting commands 15 aaa-tacacs-acc start-stop group tacs-server

----------------

002543: Jul 18 16:29:10.774: %SSH-5-SSH2_SESSION: SSH2 Session request from 10.200.247.241 (tty = 1) using crypto cipher 'aes128-ctr', hmac 'hmac-sha2-256' Succeeded
002544: Jul 18 16:29:11.039: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: cisco] [Source: 10.200.247.241] [localport: 22] at 16:29:11 BsAs Wed Jul 18 2018
002545: Jul 18 16:29:11.039: %SSH-5-SSH2_USERAUTH: User 'cisco' authentication for SSH2 Session from 10.200.247.241 (tty = 1) using crypto cipher 'aes128-ctr', hmac 'hmac-sha2-256' Succeeded
IOS-XE#
002546: Jul 18 16:29:16.983: %SSH-5-SSH2_SESSION: SSH2 Session request from 10.200.247.241 (tty = 2) using crypto cipher 'aes128-ctr', hmac 'hmac-sha2-256' Succeeded
002547: Jul 18 16:29:17.255: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: cisco] [Source: 10.200.247.241] [localport: 22] at 16:29:17 BsAs Wed Jul 18 2018
002548: Jul 18 16:29:17.255: %SSH-5-SSH2_USERAUTH: User 'cisco' authentication for SSH2 Session from 10.200.247.241 (tty = 2) using crypto cipher 'aes128-ctr', hmac 'hmac-sha2-256' Succeeded
IOS-XE#
002549: Jul 18 16:29:25.729: SCP: [22 -> 10.200.247.241:42984] send Privilege denied.
002550: Jul 18 16:29:25.729: %SSH-5-SSH2_CLOSE: SSH2 Session from 10.200.247.241 (tty = 2) for user 'cisco' using crypto cipher 'aes128-ctr', hmac 'hmac-sha2-256' closed
002551: Jul 18 16:29:25.880: %SYS-6-LOGOUT: User cisco has exited tty session 3(10.200.247.241)
IOS-XE#
002552: Jul 18 16:29:25.880: %SSH-5-SSH2_CLOSE: SSH2 Session from 10.200.247.241 (tty = 1) for user '' using crypto cipher 'aes128-ctr', hmac 'hmac-sha2-256' closed

1 person had this problem
Labels:
9 Replies 9

Richard Burts
Hall of Fame
Hall of Fame

‎07-24-2018 12:16 PM

It would appear that you are using an ID of cisco, is that correct?

 

There are messages indicating that authentication for user cisco was successful. Then there is an error about Privilege denied. So it looks like it is an issue with the configured authorization. Can you confirm that on your tacacs server that user cisco is correctly authorized for this commands for scp?

 

HTH

 

Rick

HTH

Rick
0 Helpful

opnineopnine
Level 1
Level 1
In response to Richard Burts

‎07-25-2018 06:47 AM

Hello,

 

Yes, the user is cisco, my user has a level 15 for this device, and for what you said about the Tacacas giving the right access, how can I check that? I posted my AAA configuration.

 

thanks. 

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to opnineopnine

‎07-28-2018 08:00 AM

I am suggesting that the issue is not with your router and its AAA configuration but is with your tacacs server and how that user account is set up in tacacs. I suspect that tacacs is not authorizing those commands for that user.

 

HTH

 

Rick

HTH

Rick

ara.antranik1
Level 1
Level 1
In response to Richard Burts

‎03-16-2020 02:32 AM

I also have the same problem, but with Radius. Does cisco support SCP with Radius auth, or does it have to be Tacacs?

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to ara.antranik1

‎03-16-2020 03:37 AM

Hi,

 

   It is supported with both TACACS and RADIUS. What exactly is the problem?

 

Regards,

Cristian Matei.

0 Helpful

ara.antranik1
Level 1
Level 1
In response to Cristian Matei

‎03-16-2020 05:49 AM

on a Catalyst 3850 IOS XE 03.06.06 , i get "SCP: [22 -> 10.0.120.32:54994] send Privilege denied" error when i try to upload a new image 

with

pscp.exe -l username image-name switch-ip:

 

i have this setup

aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local if-authenticated

aaa session-id common

ip ssh time-out 120
ip ssh authentication-retries 3
ip scp server enable

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to ara.antranik1

‎03-16-2020 06:35 AM

I will make the same suggestion here that I did in the original discussion. I do not see any obvious issues in the switch configuration and suspect that the problem is not about anything on the switch but is about how the user is set up in Radius. 

HTH

Rick

ara.antranik1
Level 1
Level 1
In response to Richard Burts

‎03-16-2020 11:31 PM

Yes, i can confirm adding a temporary user with priv 15 and going with local auth works. Now how to do it with Radius seems a mystery.

Cristian Matei
VIP Alumni
VIP Alumni
In response to ara.antranik1

‎03-17-2020 12:41 AM

Hi,

 

   The way it looks, it means that you need to assign a privilege level of 15 to the user authenticated by RADIUS. So you ned to ensure that on your RADIUS server, you configure some kind of authorisation policy, so that alongside with the "Access-Accept" message, you're also assigning a priv lvl of 15. Make use of the Cisco VSA RADIUS Attributes, by using "AV-pair shell:priv-lvl=15".

 

Regards,

Cristian Matei.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card