The Active Directory integration works by mapping AD Users/Computers to internal IP addresses. In order for the mapping to be correct, AD Users must authenticate against a Domain Controller that's been configured to communicate with an Umbrella AD Connector.
If your AD Users authenticate through other means, a Logon event may not be generated on the Domain Controller at all, or there may be an unexpected mapping, resulting in the wrong policy applied
Authentication via 802.1x, Radius, or ISE
Authentication through 802.1x, Radius, or ISE is NOT supported due to the limitations of how Activity Directory logons work with these solutions. The logon events the AD Connector looks for are often not generated.
Read more about the Event IDs the AD Connector looks for here: Which Window Events/EventIDs is the Connector service looking for?
Most commonly, the IP address of the authentication service will be mapped to the AD User instead of the IP address of the user's computer.
AD integration can also be achieved by the use of the roaming client with the identity support feature enabled. Further information on this feature can be found in our deployment documentation. Please note that this solution will require that virtual appliances are not present on the network as this would cause the roaming client to move into a disabled "behind VA" state.
If virtual appliances are used in the network, internal IP addresses can be used for identification. For example, you could create an "internal network" identity for the address range of your wireless network and then apply a policy to this identity. The only downside to this method is that all devices in this address range will receive the same policy.