An Apache rule that applies a different authnContextClassRef setting for a request if the client address matches is probably the simplest. -- Scott