Thanks but you are wrong. NPS and Windows 7 clients work without any problem (using 802.1X implementation). But on Windows 10, NAP agent is removed so you cannot send computer properties to the RADIUS server in order to make authentication. This is a common widely known problem on Windows 10 so we are forced to use other solutions that use an agent on the systems and connect to the related RADIUS like Cisco ISE.

I am not wrong!  You asked about authenticating the Windows 10 machines to prevent non-corporate devices from connecting to the network.  802.1x is your answer and only requires the Windows Native Supplicant on Windows 10, a network device that supports 802.1x, and a Radius server.  Microsoft NPS is a Radius server.

You are wrong!  You are confusing Network Access Protection (NAP) with 802.1x authentication.  NAP is like Cisco ISE Posture.  It sends details about the machine's health to NPS for consideration in access policies.  That DOES require the NAP agent.  Just like with Cisco ISE, posture requires the Anyconnect Posture agent.  But 802.1x is a separate thing.

Still stuck in the machine authentication problem and maybe these posts confirm that we need a 3rd Party agent on windows 10 because of lacking NAP.

https://social.technet.microsoft.com/Forums/office/en-US/1b027cc1-6b97-4779-b8e9-ced71ed93651/can-nps-force-computer-and-user-authentication?forum=winserverNAP

Enabling NAP will give you the option to combine user and machine groups in the same policy with an AND statement.

https://social.technet.microsoft.com/Forums/ie/en-US/bb886ded-19b5-4b58-9b39-dd572cbe4066/win10-8021x-profile-user-or-computer-authentication?forum=winserverNAP

I have the same issue that windows 10 unable to do machine authentication

https://social.technet.microsoft.com/Forums/windowsserver/en-US/1b027cc1-6b97-4779-b8e9-ced71ed93651/can-nps-force-computer-and-user-authentication?forum=winserverNAP

Cisco ACS performs this duty by checking that the user authentication is precluded by a computer authentication, and if there is no computer authentication the user auth is rejected. The feature is called Machine Access Restrictions, though i'm not sure exactly how it works I assume it checks the client MAC address against the host and user auth request.

https://social.technet.microsoft.com/Forums/ie/en-US/5792931b-560f-440a-9ee0-4e03d165decd/windows-10-client-machine-information-in-nps-due-to-missing-nap-client?forum=winserverNAP

For other people that will read this, I finally managed to resolve my issue using:
Clearpass Policy Manager from Aruba Networks.

Dear Colby

Let me say that

It WORKED !!

Although there are still so many problems and imperfections but starting the service (Which I wonder why is not in automatic state by default) I was able to prevent non corporate machines from gaining access to the network.

There are still issues like this which may be related to Cisco switch or NPS configuration:

- Computer and then User authentication not working, (Both in the order mentioned)

- Computer information is sent as null. The user id is sent as the computer name

- Can't figure out a way to allow the non corporate computers to gain access and then decide about them based on different criteria (even when no preventive policy is set against a port. For instance, when I just set the rule to "Ethernet on the switch port side device or a simple day time restriction which is always true)  to let a non joined PC to be able to connect but it does not work

I'll work on this and guess that it should move forward on Microsoft forums.

Regards,