I wonder if this case is caused by IVE or Windows OS of NC client.
It occurs when NC user get an ip address whose account mapped more than one roles and ip pools of NC profile.
For example, username 'juniper' has two roles. (role#1, role#2)
Location of role#1 is higher than role#2 and "Stop processing rules when this rule matches" option is not used.
Each of roles have their own NC profile(ip pool).
It seems if entire ip addresses of role#1 are not available, user 'juniper' gets an IP ADDRESS from role#2's ip pool.
But next time user 'juniper' connects to IVE, it still gets the IP ADDRESS of role#2 which it had been assigned before ,even though some IP ADDR of role#1 are available.
What's the reason of this issue?
Any reason why you cant turn "Stop Processing" on ? You could also try a policy trace under troubleshooting during login, perhaps the is a different reason why the user isnt matching the previous policy. How about simply expaning the ip range ?
I think I've observed something that might explain what you are seeing. Please understand that my explanation is speculation based on observation, and not based on knowledge of how MC works. Maybe someone else in the community has additional information.
I think that when a user is put into a role (or roles) for Network Connect and starts a session, the set of assignable addresses is generated. You can see this in a policy trace. My belief is that if the address assigned to the user in his or her most recent NC session is not in use and is in the set of assignable addresses (which it would be if the configuration was unchanged), that address is assigned to the user. If this is the user's first logon, or if the prior address is not free, the SA assigns the lowest address in the set of assignable addresses.
I've never assigned a user to multiple roles with NC, so this may affect the order. Maybe after it decides the prior address is not free, the SA assigns the lowest address from the set of assignable addresses from the first role, and only takes an address from the second role if the address pool for the first role is exhausted. But I think there is some "memory" about the most recent address assigned, and it is reassigned if available.