cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3354
Views
7
Helpful
9
Replies

Radius attribute to grant priv 15 for scp

holger.weinel1
Level 1
Level 1

Hi,

because our tacacs+ Server is running out of Service we did migrate to a radius based solution. It works so far. When I'm locking in I via ssh privilege 15 is granted to me via vty Setting priv 15. But if I try to get files from an IOS Switch via scp  no matter whiche one I get after l logged in successfully the error-message:

pscp -scp username@cisco-catalyst:startup.cfg test.cfg
Using keyboard-interactive authentication.
Password:
Privilege denied.

Which Attribute with which value I've to set to grant pivilege 15 to user "username" when hes using scp?

As an example of the used Switches:

Hardware: WS-C2960S-48FPD-L

IOS: Version 15.2(2)E5

best regards.

Holger Weinel

9 Replies 9

Hello Holger,

provided your SSH configuration works, make sure you have 

ip scp server enable

configured as well.

Can you post the RADIUS configuration you have ?

#show run aaa
!
aaa authentication login default group RADIUS local
aaa authorization exec default group RADIUS local
!
!
!
!
radius server radius1
 address ipv4 1.1.1.1 auth-port 1812 acct-port 1813
 timeout 5
 key *******
!
radius server radius2
 address ipv4 1.1.1.2 auth-port 1812 acct-port 1813
 timeout 5
 key *******
!
radius-server attribute 6 on-for-login-auth
!
!
aaa group server radius RADIUS
 server name radius1
 server name radius2
!
!
!
!
!
aaa new-model
aaa session-id common
!
!
ip scp server enable
ip ssh version 2

line vty 0 4
...
 privilege level 15
...
line vty 5 14
...
 privilege level 15
...

In the attachment there are the user attributes I'did use unsuccessfully on radius-server

Hello Holger,

which RADIUS server is that (sorry, I don't recognize that one). 

The config looks okay actually, I suspect there is something wrong with the privilege level set on the server....

It is a VASCO virtual applinance latest version

Hello,

I did some research, I am not sure if this applies to you, but since you have the switch configured as SSH server (ip ssh version 2), according to the document below, you need to enable RSA by globally configuring:

crypto key generate rsa

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-2_2_e/security/configuration_guide/b_sec_1522e_2960x_cg/b_sec_1522e_2960x_cg_chapter_01001.html

Or try to configure a local user with privilege 15, if SCP works with that, you know that the problem is on the RADIUS server side:

username YourName privilege 15 password YourPassword

Hi, our company policy doesnot allow central authentication. We did use scp with tacacs auth succesfully.

I guess I better check support our radius partner. I did hope anyone at this forum had the same problem.

I will end this request at this site.

Best regards and a happy new year.

Holger

johnnylingo
Level 5
Level 5
Realize this post is a couple years old, but I just made a blog post about this exact same problem

https://layer77.net/2019/10/16/cisco-ios-xe-scp-server/