6.13. Clients in policies¶
The client field in the policies can include or exclude clients.
In the scope selfservice, authorization, enrollment and authentication the client field can be used to specify for which client the policy is valid. The IP address of the client, from which the request originated, is determined and checked against the policies.
You can enter a list of IP addresses or networks in CIDR 1 notation separated by commas:
172.16.15.0/16, 10.0.0.0/8, 192.168.1.1
When combining several policies it can be necessary to exclude client IPs from a policy. You can do this by
using the prefix
172.16.15.0/16, -172.16.15.123, 10.0.0.0/8, -10.0.2.0/16, 192.168.1.1
Such a policy definition:
[special_user] realm = realm1 client = 172.16.200.147 user = administrator time = "" action = "authorize, " scope = authorization [all_users] realm = realm1 client = "172.16.200.0/24, -172.16.200.147" user = * time = "" action = "authorize, " scope = authorization
would mean, that only the
administrator is allowed to authenticate on all computers on the
network. All other users can authenticate on the network except at the machine
Classless Inter-Domain Routing