1.6.14. Clients in policies

The client field in the policies can include or exclude clients.

In the scope selfservice, authorization, enrollment and authentication the client field can be used to specify for which client the policy is valid. The IP address of the client, from which the request originated, is determined and checked against the policies.

You can enter a list of IP addresses or networks in CIDR [1] notation separated by commas:

172.16.15.0/16, 10.0.0.0/8, 192.168.1.1

When combining several policies it can be necessary to exclude client IPs from a policy. You can do this by using the prefix - or !:

172.16.15.0/16, -172.16.15.123, 10.0.0.0/8, -10.0.2.0/16, 192.168.1.1

Such a policy definition:

[special_user]
realm = realm1
client = 172.16.200.147
user = administrator
time = ""
action = "authorize, "
scope = authorization
[all_users]
realm = realm1
client = "172.16.200.0/24, -172.16.200.147"
user = *
time = ""
action = "authorize, "
scope = authorization

would mean, that only the administrator is allowed to authenticate on all computers on the 172.16.200.0/24 network. All other users can authenticate on the network except at the machine 172.16.200.147.

[1]

Classless Inter-Domain Routing