Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3352
Views
7
Helpful
9
Replies

Radius attribute to grant priv 15 for scp

holger.weinel1
Level 1
Level 1

‎01-03-2017 06:16 AM

Hi,

because our tacacs+ Server is running out of Service we did migrate to a radius based solution. It works so far. When I'm locking in I via ssh privilege 15 is granted to me via vty Setting priv 15. But if I try to get files from an IOS Switch via scp  no matter whiche one I get after l logged in successfully the error-message:

pscp -scp username@cisco-catalyst:startup.cfg test.cfg
Using keyboard-interactive authentication.
Password:
Privilege denied.

Which Attribute with which value I've to set to grant pivilege 15 to user "username" when hes using scp?

As an example of the used Switches:

Hardware: WS-C2960S-48FPD-L

IOS: Version 15.2(2)E5

best regards.

Holger Weinel

Labels:
0 Helpful
9 Replies 9

Georg Pauwen
VIP
VIP

‎01-03-2017 11:49 PM

Hello Holger,

provided your SSH configuration works, make sure you have 

ip scp server enable

configured as well.

Can you post the RADIUS configuration you have ?

0 Helpful

holger.weinel1
Level 1
Level 1
In response to Georg Pauwen

‎01-04-2017 08:36 AM

#show run aaa
!
aaa authentication login default group RADIUS local
aaa authorization exec default group RADIUS local
!
!
!
!
radius server radius1
 address ipv4 1.1.1.1 auth-port 1812 acct-port 1813
 timeout 5
 key *******
!
radius server radius2
 address ipv4 1.1.1.2 auth-port 1812 acct-port 1813
 timeout 5
 key *******
!
radius-server attribute 6 on-for-login-auth
!
!
aaa group server radius RADIUS
 server name radius1
 server name radius2
!
!
!
!
!
aaa new-model
aaa session-id common
!
!
ip scp server enable
ip ssh version 2

line vty 0 4
...
 privilege level 15
...
line vty 5 14
...
 privilege level 15
...

In the attachment there are the user attributes I'did use unsuccessfully on radius-server

Preview file
64 KB
0 Helpful

Georg Pauwen
VIP
VIP
In response to holger.weinel1

‎01-04-2017 09:14 AM

Hello Holger,

which RADIUS server is that (sorry, I don't recognize that one). 

The config looks okay actually, I suspect there is something wrong with the privilege level set on the server....

0 Helpful

holger.weinel1
Level 1
Level 1
In response to Georg Pauwen

‎01-04-2017 09:24 AM

It is a VASCO virtual applinance latest version
0 Helpful

Georg Pauwen
VIP
VIP
In response to holger.weinel1

‎01-04-2017 12:29 PM

Hello,

I did some research, I am not sure if this applies to you, but since you have the switch configured as SSH server (ip ssh version 2), according to the document below, you need to enable RSA by globally configuring:

crypto key generate rsa

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-2_2_e/security/configuration_guide/b_sec_1522e_2960x_cg/b_sec_1522e_2960x_cg_chapter_01001.html

Georg Pauwen
VIP
VIP
In response to Georg Pauwen

‎01-04-2017 12:32 PM

Or try to configure a local user with privilege 15, if SCP works with that, you know that the problem is on the RADIUS server side:

username YourName privilege 15 password YourPassword

0 Helpful

holger.weinel1
Level 1
Level 1
In response to Georg Pauwen

‎01-04-2017 10:59 PM

Hi, our company policy doesnot allow central authentication. We did use scp with tacacs auth succesfully.

I guess I better check support our radius partner. I did hope anyone at this forum had the same problem.

I will end this request at this site.

Best regards and a happy new year.

Holger

0 Helpful

johnnylingo
Level 5
Level 5

‎10-16-2019 09:57 PM

Realize this post is a couple years old, but I just made a blog post about this exact same problem

https://layer77.net/2019/10/16/cisco-ios-xe-scp-server/
0 Helpful
Customers Also Viewed These Support Documents