IP based Conditional access

I would like to use IP based conditional access for my users.
In many MFA systems you can whitelist IP adresses in the system so that users logging in from that IP will not be required to use MFA for logon but only their username and password.
Users logging in from other IP adresses are required to use MFA for login.
In this way, users loggin in to i.e. Citrix from their home office have to logon with their MFA, but users inside company network are allowed to login without MFA. I know I can do this with policies on the Citrix Netscaler, but that limits this to Citrix. By doing this directly on the PrivacyIdea server this function will be available for all types of services.

Anyone out there that have done something like this with PrivacyIdea?

every policy has the Client-Field on the first tab, so you are able to set authentication-policies for IPs/ranges, some with Username/Password and others with Username/Password/Token

Thank you for your reply.
The client-field in policy, when using Radius references to the radius NAS client. not the user client.
next challange is, what policy setting will allow the user to login only with username and pass?
the passthru setting is only valid for user with zero tokens assigned.

In policies, scope webui there is an alternative (“login_mode”) for selecting if users can authenticate against userstore or PrivacyIdea.
If this was available in authentication policy I would be half way, next issue would be to identify the users IP adresse.
anyone have any ideas how this can be done ?