07-24-2018 11:30 AM - edited 03-08-2019 03:44 PM
Hello,
Im getting the following error when I have to upload a file via scp to one of the IOS-XE. I think AAA can be the issue but not sure.
I configured in the router:
ip scp server enable, my user has privilege 15
AAA Configuration:
aaa authentication login aaa-tacacs-login group tacs-server local
aaa authorization exec aaa-tacacs-exec group tacs-server local
aaa authorization commands 1 aaa-tacacs-cmm group tacs-server local
aaa authorization commands 15 aaa-tacacs-cmm group tacs-server local
aaa accounting exec aaa-tacacs-acc start-stop group tacs-server
aaa accounting commands 1 aaa-tacacs-acc start-stop group tacs-server
aaa accounting commands 15 aaa-tacacs-acc start-stop group tacs-server
----------------
002543: Jul 18 16:29:10.774: %SSH-5-SSH2_SESSION: SSH2 Session request from 10.200.247.241 (tty = 1) using crypto cipher 'aes128-ctr', hmac 'hmac-sha2-256' Succeeded
002544: Jul 18 16:29:11.039: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: cisco] [Source: 10.200.247.241] [localport: 22] at 16:29:11 BsAs Wed Jul 18 2018
002545: Jul 18 16:29:11.039: %SSH-5-SSH2_USERAUTH: User 'cisco' authentication for SSH2 Session from 10.200.247.241 (tty = 1) using crypto cipher 'aes128-ctr', hmac 'hmac-sha2-256' Succeeded
IOS-XE#
002546: Jul 18 16:29:16.983: %SSH-5-SSH2_SESSION: SSH2 Session request from 10.200.247.241 (tty = 2) using crypto cipher 'aes128-ctr', hmac 'hmac-sha2-256' Succeeded
002547: Jul 18 16:29:17.255: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: cisco] [Source: 10.200.247.241] [localport: 22] at 16:29:17 BsAs Wed Jul 18 2018
002548: Jul 18 16:29:17.255: %SSH-5-SSH2_USERAUTH: User 'cisco' authentication for SSH2 Session from 10.200.247.241 (tty = 2) using crypto cipher 'aes128-ctr', hmac 'hmac-sha2-256' Succeeded
IOS-XE#
002549: Jul 18 16:29:25.729: SCP: [22 -> 10.200.247.241:42984] send Privilege denied.
002550: Jul 18 16:29:25.729: %SSH-5-SSH2_CLOSE: SSH2 Session from 10.200.247.241 (tty = 2) for user 'cisco' using crypto cipher 'aes128-ctr', hmac 'hmac-sha2-256' closed
002551: Jul 18 16:29:25.880: %SYS-6-LOGOUT: User cisco has exited tty session 3(10.200.247.241)
IOS-XE#
002552: Jul 18 16:29:25.880: %SSH-5-SSH2_CLOSE: SSH2 Session from 10.200.247.241 (tty = 1) for user '' using crypto cipher 'aes128-ctr', hmac 'hmac-sha2-256' closed
07-24-2018 12:16 PM
It would appear that you are using an ID of cisco, is that correct?
There are messages indicating that authentication for user cisco was successful. Then there is an error about Privilege denied. So it looks like it is an issue with the configured authorization. Can you confirm that on your tacacs server that user cisco is correctly authorized for this commands for scp?
HTH
Rick
07-25-2018 06:47 AM
Hello,
Yes, the user is cisco, my user has a level 15 for this device, and for what you said about the Tacacas giving the right access, how can I check that? I posted my AAA configuration.
thanks.
07-28-2018 08:00 AM
I am suggesting that the issue is not with your router and its AAA configuration but is with your tacacs server and how that user account is set up in tacacs. I suspect that tacacs is not authorizing those commands for that user.
HTH
Rick
03-16-2020 02:32 AM
I also have the same problem, but with Radius. Does cisco support SCP with Radius auth, or does it have to be Tacacs?
03-16-2020 03:37 AM
Hi,
It is supported with both TACACS and RADIUS. What exactly is the problem?
Regards,
Cristian Matei.
03-16-2020 05:49 AM
on a Catalyst 3850 IOS XE 03.06.06 , i get "SCP: [22 -> 10.0.120.32:54994] send Privilege denied" error when i try to upload a new image
with
pscp.exe -l username image-name switch-ip:
i have this setup
aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local if-authenticated
aaa session-id common
ip ssh time-out 120
ip ssh authentication-retries 3
ip scp server enable
03-16-2020 06:35 AM
I will make the same suggestion here that I did in the original discussion. I do not see any obvious issues in the switch configuration and suspect that the problem is not about anything on the switch but is about how the user is set up in Radius.
03-16-2020 11:31 PM
Yes, i can confirm adding a temporary user with priv 15 and going with local auth works. Now how to do it with Radius seems a mystery.
03-17-2020 12:41 AM
Hi,
The way it looks, it means that you need to assign a privilege level of 15 to the user authenticated by RADIUS. So you ned to ensure that on your RADIUS server, you configure some kind of authorisation policy, so that alongside with the "Access-Accept" message, you're also assigning a priv lvl of 15. Make use of the Cisco VSA RADIUS Attributes, by using "AV-pair shell:priv-lvl=15".
Regards,
Cristian Matei.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide