*Please provide some basic information describing your suggestion
In the current spec, only one subject type is allowed at a time. This means you can't restricted an authenticated subject type to a specific group of network addresses. It would be better to make the cidr attribute part of all subject types. This means you can match on just cidr by using type=anyAuthenticated or type=any depending on whether clients still need to be authenticated or not.