Hope everyone's well! Could someone advise on this please?

We're looking at installing Firepower devices, with ISE-PIC to provide SSO information based on Active Directory users. We need to control and log web access to URLs based on AD username. 

From the docs this looks like it will function with machines that are domain members, but many devices in this environment are iphones/android and therefore not domain members. Those particular users do not want to use the captive portal on the Firepower devices, and are currently logging on to the wifi by entering their AD credentials and authenticating via RADIUS on a WIndows AD Domain controller (WPA2 Enterprise). The wifi system they have also supports authenticating directly to Active Directory via a "bind_request".

We have found entries in ISE and Firepower documentation (see below) that indicate that users on Firepower devices cannot be managed if they logged on to RADIUS, LDAP or RSA domain controllers. So this could mean our WIFi users logging on via RADIUS may not be manageable, but what about if they logged on via the AD bind_request? Would that be any different?

The documentation is unclear on this. Technically it's LDAP, but it is a full Active Directory server and not an open-standards LDAP server.

Documentation excerpt:

ISE/ISE-PIC User Data

• After the system detects activity from an ISE user whose data is not yet in the database, the system retrieves information about them from the server. Activity seen by the ISE user is not handled by access control rules, and is not displayed in the dashboards until the system successfully retrieves information about them in a user download.
• You cannot perform user control on ISE users who were authenticated by an LDAP, RADIUS, or RSA domain controller.
• The system does not receive user data for ISE Guest Services users.