by adrien » Dec 17 18 2:50 pm
Hi
this should actually be possible using flow-chart policy if you have an enterprise license. In this case you have access to the Pre-Auth event, which allows you to override authentication, and you have access to the username and IP the authentication is coming fron.
So a basic design could be to check if the IP the user is logging in from is permitted for that user. Either by adding it to a list where the name of the list contains the username (so there's one list per username), or some other method. Checking for list existence would be the test to whether the user currently is associated with an IP.
Do you foresee the IP address changing a lot per user? One of the issues is figuring out when a user has finished using credentials (e.g. is it when all the connections are closed, or some time later).
Adrien