Hi, I noticed a very strange behavior in the client IP exclusion list with the Google Authenticator MFA on two RAS 18 installation. It seeams that the MFA IP exclusion uses the IP address assigned on the client's NIC instead of the source IP address used for connectig to the RAS server. I'ill give a simple example of the potential issue. RAS server (192.168.10.10) is installed on a headquarter network (192.168.10.0/24) and I'd like to exclude from MFA connection coming from the same subnet. In this example I'll add an IP exclusion range 192.168.10.1-192.168.10.254 to prevent users inside corporate LAN to enter the OTP. This works great! But if a user connect from home (or another location) with a public IP, 220.127.116.11 in this example, and his network interface uses 192.168.10.20, he will not get ask to enter the OTP.