locked
Windows 10 Client Machine information in NPS due to missing NAP client RRS feed

  • Question

  • Since Windows 10 lacks the NAP-client.

    I'm wondering if there is another way to get the Client Machine information.
    (The information in the red square in the screenshot below)
    Something like a service or other type of default client that should be activated

    And this point we need to first figure out a solution, before we can start rolling out Windows 10 in our Enterprise.

    Some more background information, we use the Client Machine (Account name) for our wireless solution.

    A user connects to wireless using his user credentials (sent from windows logon)
    With this user login on wifi, the NAP-client used to sent de Client Machine information.
    In NPS we checked on membership of a specific user group AND membership of a specific machine group.

    This way we had a combination of user information that the user needed to know and a device the user needed to have.
    Which resulted in a very simple but effective way of 2-factor authentication.

    Something that normally couldn't be done, because of the fact that Wireless normally only uses either user OR computer authentication. NAP made this possible !

    Friday, August 28, 2015 8:49 AM

Answers

  • For other people that will read this, I finally managed to resolve my issue using:
    Clearpass Policy Manager from Aruba Networks.


    It is capable to first do a (wireless) machine authentication, set an attribute, and on user login it reauthenticates with a user authentication.

    User authentication + attribute puts the machine in a specific (managed systems) VLAN
    Just user authentication puts the machine in a other (byod) VLAN

    Monday, August 8, 2016 8:19 AM

All replies

  • Hi Lau,

    I tested on my server and got the same result.

    As it said "Network Policy Server granted access to a user", I suppose it is by design that the Client Machine information is blank.

    It is validating user account and it would get the information of it.

    Best Regards,

    Leo

     


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, August 31, 2015 7:00 AM
  • Hi Leo,

    This is true, because Windows 10 lacks the NAP-client.
    Without the NAP-client activated on a Pre-Windows 10 machine the result is the same.

    However, when you start the NAP-Client on a Pre-Windows 10 machine, it sends the Client Machine information with the User authentication attempt.

    This way I was able to find out if a user was logged in on a managed corporate device (NAP-capable+member of machine group+member of user group) or using a byod (only member of a user group).

    Windows 10 doesn't have the NAP-client, so yes by new design the Client machine information isn't send anymore.

    Question I have, is there a (new) way to get this information sent to the NPS server?
    Maybe by starting a service, setting a registry setting or perhaps by using third-party software.

    Monday, August 31, 2015 8:15 AM
  • Hi Lau,

    As far as I know, it can't be achieved using service or registry.

    I suppose some 3rd party tools could implement it.

    Best Regards,

    Leo


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Proposed as answer by Leo Han Wednesday, September 9, 2015 1:30 AM
    • Marked as answer by Leo Han Thursday, September 10, 2015 1:57 AM
    • Unmarked as answer by L.M. van der Vleuten Thursday, September 10, 2015 10:00 AM
    • Unproposed as answer by L.M. van der Vleuten Thursday, September 10, 2015 10:00 AM
    Tuesday, September 1, 2015 1:54 AM
  • Dear Leo,

    Question I have, is there a (new) way to get this information sent to the NPS server?

    Maybe by starting a service, setting a registry setting or perhaps by using third-party software.
    (If it should be third-party software, which one ?)

    I want to know how I can resolve the fact that there is no more Client Machine information.
    Something that used to be sent with the Wireless user authentication, but without the NAP-client it isn't.

    Thursday, September 10, 2015 10:31 AM
  • Hi Lau,

    As I mentioned, I'm afraid it can't be achieved using service or registry.

    You may try to find 3rd party tool from local software vendor. They may have developed applications to achieve the goal.

    Best Regards,

    Leo


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Proposed as answer by Leo Han Thursday, September 24, 2015 1:51 AM
    • Marked as answer by Leo Han Tuesday, September 29, 2015 1:17 AM
    • Unmarked as answer by L.M. van der Vleuten Monday, August 8, 2016 8:20 AM
    Monday, September 14, 2015 1:09 AM
  • For other people that will read this, I finally managed to resolve my issue using:
    Clearpass Policy Manager from Aruba Networks.


    It is capable to first do a (wireless) machine authentication, set an attribute, and on user login it reauthenticates with a user authentication.

    User authentication + attribute puts the machine in a specific (managed systems) VLAN
    Just user authentication puts the machine in a other (byod) VLAN

    Monday, August 8, 2016 8:19 AM