Current test Setup:
- 1 Contract with two risk based methods
- "1st" risk policy checks IP address, if internal IP, use Kerberos, and allow access if passed. if External IP use Form based login then moves to 2nd risk policy if passed.
- "2nd" risk policy request 2nd factor via the Advanced Authentication plugin. If passed, the allow login.

I have a policy that states if Authentication Method "[Current]" equals "1st" method and not equal to "2nd" method, then Active Role "internal".

Then I try logging in both externally and internally, the "internal" role activates.

Whats the best way to to apply roles so that only users coming from internal IPs get a role activated.