We have a unique environment, and are having troubles identifying the best way to enforce role based access. Here are the problems I'm seeing with each Identity Awareness source:
Browser-Based: We don't want users to do browser based authentication every login.
AD Query: Assume single user host causes and RDP casuses RDP session account to override current login, and service account exemption isn't feasible for our structure.
Identity Agent: Doesn't support fast user switching
Terminal Server Agent - Doesn't support windows 10 Secureboot
Radius Accounting - We don't have radius auth configured for wired users yet.
Identity Collector - Doesn't support 2003 domain controllers (yes, I know, we are trying to upgrade)
Identity Web API - we would configure with Aruba Clearpass, but again isn't configured for wired users.
User Directory - Can it do user group detection, and handle multi user hosts? I think this is just for configuring LDAP accounts
I'm in quite a pickle on how to enforce access. Our previous TMG 2010 gateway used a proxy client to enforce access.