cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13797
Views
13
Helpful
9
Replies

SCP Privilege denied - IOS-XE

opnineopnine
Level 1
Level 1

Hello, 

 

Im getting the following error when I have to upload a file via scp to one of the IOS-XE. I think AAA can be the issue but not sure.

 

I configured in the router:

ip scp server enable, my user has privilege 15

 

AAA Configuration:

aaa authentication login aaa-tacacs-login group tacs-server local
aaa authorization exec aaa-tacacs-exec group tacs-server local 
aaa authorization commands 1 aaa-tacacs-cmm group tacs-server local 
aaa authorization commands 15 aaa-tacacs-cmm group tacs-server local 
aaa accounting exec aaa-tacacs-acc start-stop group tacs-server
aaa accounting commands 1 aaa-tacacs-acc start-stop group tacs-server
aaa accounting commands 15 aaa-tacacs-acc start-stop group tacs-server

----------------

002543: Jul 18 16:29:10.774: %SSH-5-SSH2_SESSION: SSH2 Session request from 10.200.247.241 (tty = 1) using crypto cipher 'aes128-ctr', hmac 'hmac-sha2-256' Succeeded
002544: Jul 18 16:29:11.039: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: cisco] [Source: 10.200.247.241] [localport: 22] at 16:29:11 BsAs Wed Jul 18 2018
002545: Jul 18 16:29:11.039: %SSH-5-SSH2_USERAUTH: User 'cisco' authentication for SSH2 Session from 10.200.247.241 (tty = 1) using crypto cipher 'aes128-ctr', hmac 'hmac-sha2-256' Succeeded
IOS-XE#
002546: Jul 18 16:29:16.983: %SSH-5-SSH2_SESSION: SSH2 Session request from 10.200.247.241 (tty = 2) using crypto cipher 'aes128-ctr', hmac 'hmac-sha2-256' Succeeded
002547: Jul 18 16:29:17.255: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: cisco] [Source: 10.200.247.241] [localport: 22] at 16:29:17 BsAs Wed Jul 18 2018
002548: Jul 18 16:29:17.255: %SSH-5-SSH2_USERAUTH: User 'cisco' authentication for SSH2 Session from 10.200.247.241 (tty = 2) using crypto cipher 'aes128-ctr', hmac 'hmac-sha2-256' Succeeded
IOS-XE#
002549: Jul 18 16:29:25.729: SCP: [22 -> 10.200.247.241:42984] send Privilege denied.
002550: Jul 18 16:29:25.729: %SSH-5-SSH2_CLOSE: SSH2 Session from 10.200.247.241 (tty = 2) for user 'cisco' using crypto cipher 'aes128-ctr', hmac 'hmac-sha2-256' closed
002551: Jul 18 16:29:25.880: %SYS-6-LOGOUT: User cisco has exited tty session 3(10.200.247.241)
IOS-XE#
002552: Jul 18 16:29:25.880: %SSH-5-SSH2_CLOSE: SSH2 Session from 10.200.247.241 (tty = 1) for user '' using crypto cipher 'aes128-ctr', hmac 'hmac-sha2-256' closed

9 Replies 9

Richard Burts
Hall of Fame
Hall of Fame

It would appear that you are using an ID of cisco, is that correct?

 

There are messages indicating that authentication for user cisco was successful. Then there is an error about Privilege denied. So it looks like it is an issue with the configured authorization. Can you confirm that on your tacacs server that user cisco is correctly authorized for this commands for scp?

 

HTH

 

Rick

HTH

Rick

Hello,

 

Yes, the user is cisco, my user has a level 15 for this device, and for what you said about the Tacacas giving the right access, how can I check that? I posted my AAA configuration.

 

thanks. 

I am suggesting that the issue is not with your router and its AAA configuration but is with your tacacs server and how that user account is set up in tacacs. I suspect that tacacs is not authorizing those commands for that user.

 

HTH

 

Rick

HTH

Rick

I also have the same problem, but with Radius. Does cisco support SCP with Radius auth, or does it have to be Tacacs?

Hi,

 

   It is supported with both TACACS and RADIUS. What exactly is the problem?

 

Regards,

Cristian Matei.

on a Catalyst 3850 IOS XE 03.06.06 , i get "SCP: [22 -> 10.0.120.32:54994] send Privilege denied" error when i try to upload a new image 

with

pscp.exe -l username image-name switch-ip:

 

i have this setup

aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local if-authenticated

aaa session-id common

ip ssh time-out 120
ip ssh authentication-retries 3
ip scp server enable

I will make the same suggestion here that I did in the original discussion. I do not see any obvious issues in the switch configuration and suspect that the problem is not about anything on the switch but is about how the user is set up in Radius. 

HTH

Rick

Yes, i can confirm adding a temporary user with priv 15 and going with local auth works. Now how to do it with Radius seems a mystery.

Hi,

 

   The way it looks, it means that you need to assign a privilege level of 15 to the user authenticated by RADIUS. So you ned to ensure that on your RADIUS server, you configure some kind of authorisation policy, so that alongside with the "Access-Accept" message, you're also assigning a priv lvl of 15. Make use of the Cisco VSA RADIUS Attributes, by using "AV-pair shell:priv-lvl=15".

 

Regards,

Cristian Matei.

Review Cisco Networking for a $25 gift card