The User Agent (which is being deprecated) or ISE/ISE-PIC is required to get the mapping of user to IP address. Realm integration and the LDAP/AD authentication by themselves won't do that for purposes of using identity in your Access Control Policy.
I had a similar issue with users showing as unknown. You need to install the user agent to collect identities for use in identity based policies. Authentication from VPN won’t necessarily bring that user into events. From what I remember, the user agent correlates login and log off events from the DC, and that’s how it can display users with IPs.