Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1570
Views
0
Helpful
3
Replies

Anyconnect DAP policy incorrectly detects windows 10 system as windows 8

anil.kumark
Level 1
Level 1

‎02-03-2019 06:46 PM - edited ‎03-12-2019 05:33 AM

We have a DAP policy for windows 8, 7, Vista and MacOS. When windows 10 system connects users are able to login even though no DAP policy matches. I have the debug dap trace 255 output now.  I can see the platform= win & platform version = 10.0.17134 and its for window 10.

Below is the sample debug output, initially it detected win platform and version as 10, later it shows window 8

endpoint.anyconnect.platform="win";
endpoint.anyconnect.platformversion="10.***";
DAP_TRACE[128]: dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"]="XXXX"
DAP_TRACE: aaa["cisco"]["tunnelgroup"] = "XXXX"
DAP_TRACE[128]: dap_add_to_lua_tree:endpoint["application"]["clienttype"]="AnyConnect"
DAP_TRACE: endpoint["application"]["clienttype"] = "AnyConnect"
DAP_TRACE[128]: dap_install_endpoint_data_to_lua:endpoint.os.version="Windows 8"
DAP_TRACE: endpoint.os.version = "Windows 8"
DAP_TRACE[128]: dap_install_endpoint_data_to_lua:endpoint.policy.location="Default"
DAP_TRACE: endpoint.policy.location = "Default"

DAP_TRACE: Username: XXXX, Selected DAPs: ,XXXX
DAP_TRACE: dap_process_selected_daps: selected 1 records
DAP_TRACE: Username: XXXX, dap_aggregate_attr: rec_count = 1
DAP_TRACE[128]: DAP ACL Aggregate: Classifying apras-acl: priority=121, sense=0(White), Denies=0, Permits=9050
DAP_TRACE: Username: XXXX, DAP_close: XXXX
DAP_TRACE: DAP_open: XXXX

 

Further testing confirms that window 10 systems are matched against window 8 version and selected the DAP XXXX which has selection configured for window XP,7,8,Vista and MACOS only.
Also its weird to see in selected DAP section (Selected DAPs: ,XXXX) there is a blank space/gap at first and then it shows XXXX.

Labels:
0 Helpful
3 Replies 3

Rahul Govindan
VIP Alumni
VIP Alumni

‎02-04-2019 07:14 AM

What is your ASA and ASDM version? It could be that the ASDM does not support anything above Windows 8 in endpoint OS, hence defaults everything back to Windows 8. Your AnyConnect hostscan component is correctly detecting Windows 10, so that seems correct. 

 

Looking at this bug, you should be running at least 7.4(1) ASDM version.

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCur90915/?rfs=iqvred

 

0 Helpful

anil.kumark
Level 1
Level 1
In response to Rahul Govindan

‎02-04-2019 06:55 PM

Thanks Rahul for the update.

I am aware of this bug however my question is how would windows 10 systems are allowed to login when there is no matching policy and we have default policy set to terminate in DAP. So unless we find related bug or limitation I can't upgrade the ASDM to check the functionality.

 

Thanks

Anil

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to anil.kumark

‎02-05-2019 07:50 AM

My guess is that the Windows 10 systems are being defaulted to Windows 8 because of the bug I mentioned earlier (no support for Windows 10 on ASDM below 7.4). Since they match Windows 8 incorrectly, they are getting through.

 

Another bug was opened for Windows 10 machines incorrectly matching as Windows 8 in an older hostscan version.

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuv82622

 

I do not know if that applies to you based on your version. I would suggest opening a TAC case to have them confirm this. 

0 Helpful
Customers Also Viewed These Support Documents