Can we link / verify the IP address(s) allocated to each external member with their user IDs (since the authentication of the VPN is performed via LDAP). This is to identify for instance if a user "A" from member "A" tries to login with his user ID but from member "B", then the network will identify that this user is trying to connect from an IP address range NOT assigned to him, and hence reject the connection. This might sound complicated, but the aim is to have more control on the physical connectivity especially that we are facing such issues of users moving from one organization to another and accessing the system before we receive the request to de-activate their accounts from the original employer.
