The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document provides the procedure to configure a Cisco device for Secure Copy (SCP) server-side functionality.
Configure Secure Shell (SSH), authentication, and authorization on the device.
Because SCP relies on SSH for its secure transport, the device must have a Rivest, Shamir, and Adelman (RSA) key pair.
The Secure Copy feature provides a secure and authenticated method for copying switch configurations or switch image files. The Secure Copy Protocol (SCP) relies on Secure Shell (SSH), an application and a protocol that provides a secure replacement for the Berkeley r-tools.
The behavior of SCP is similar to that of Remote Copy Protocol (RCP), which comes from the Berkeley r-tools suite (Berkeley university’s own set of networking applications), except that SCP relies on SSH for security. In addition, SCP requires authentication, authorization, and accounting (AAA) to be configured to ensure that the device can determine whether a user has the correct privilege level.
SCP allows only users with a privilege level of 15 to copy a file in the Cisco IOS File System (Cisco IFS) to and from a device by using the copy command. An authorized administrator can also perform this action from a workstation.
 Note |
|
How to Configure Secure Copy
To configure a Cisco device for Secure Copy (SCP) server-side functionality, perform the following steps.
| Command or Action | Purpose | |||
|---|---|---|---|---|
|
Step 1 |
enable Example: |
Enables privileged EXEC mode.
|
||
|
Step 2 |
configure terminal Example: |
Enters global configuration mode. |
||
|
Step 3 |
aaa new-model Example: |
Sets AAA authentication at login. |
||
|
Step 4 |
aaa authentication login {default | list-name } method1 [ method2... ] Example: |
Enables the AAA access control system. |
||
|
Step 5 |
username name [privilege level ] password encryption-type encrypted-password Example: |
Establishes a username-based authentication system.
|
||
|
Step 6 |
ip scp server enable Example: |
Enables SCP server-side functionality. |
||
|
Step 7 |
exit Example: |
Exits global configuration mode and returns to privileged EXEC mode. |
||
|
Step 8 |
show running-config Example: |
(Optional) Displays the SCP server-side functionality. |
||
|
Step 9 |
debug ip scp Example: |
(Optional) Troubleshoots SCP authentication problems. |
Configuration Examples for Secure Copy
The following example shows how to configure the server-side functionality of Secure Copy (SCP). This example uses a locally defined username and password.
! AAA authentication and authorization must be configured properly in order for SCP to work.
aaa new-model
aaa authentication login default local
aaa authorization exec default local
username user1 privilege 15 password 0 lab
! SSH must be configured and functioning properly.
ip scp server enableThe following example shows how to configure the server-side functionality of SCP using a network-based authentication mechanism:
! AAA authentication and authorization must be configured properly for SCP to work.
aaa new-model
aaa authentication login default group tacacs+
aaa authorization exec default group tacacs+
! SSH must be configured and functioning properly.
ip ssh time-out 120
ip ssh authentication-retries 3
ip scp server enable|
Related Topic |
Document Title |
|---|---|
|
Secure Shell Version 1 and 2 support |
Configuring Secure Shell |
|
Description |
Link |
|---|---|
|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
This table provides release and related information for features explained in this module.
These features are available on all releases subsequent to the one they were introduced in, unless noted otherwise.
|
Release |
Feature |
Feature Information |
|---|---|---|
|
Cisco IOS XE Everest 16.5.1a |
Secure Copy |
The Secure Copy feature provides a secure and authenticated method for copying device configurations or device image files. SCP relies on SSH, an application and protocol that provide a secure replacement for the Berkeley r-tools suite. The following commands were introduced or modified: debug ip scp and ip scp server enanle . Support for this feature was introduced only on the C9500-12Q, C9500-16X, C9500-24Q, C9500-40X models of the Cisco Catalyst 9500 Series Switches. |
|
Cisco IOS XE Fuji 16.8.1a |
Secure Copy |
Support for this feature was introduced only on the C9500-32C, C9500-32QC, C9500-48Y4C, and C9500-24Y4C models of the Cisco Catalyst 9500 Series Switches. |
Use Cisco Feature Navigator to find information about platform and software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn.
Feedback