[CSING]

User catalogs provide more security simply due to the fact that the user credentials are verified on the Integrity server. Also it allows you to deploy a policy to a specific user or group regardless of what machine is logged into. It requires and additional step for IAS to communicate to your user directory but once done it remains very static.

Nevertheless if the user credentials do not match the user will be prompted if proxy login is checked. After 3 failed login attempts the policy applied would be either IP based or as last resort default policy for the entity.

It gives greater control, security and better reporting I believe. What some find imtimidating is setting up the user catalogs. But once this is done it usually doesn't have to be played with.

Limitation is that only one catalog can have proxy login checked. Which may not be an issue.