You may want to use client IP addresses to have a Gateway Enforcer appliance authenticate a limited subset of clients at a company.

You can have the Gateway Enforcer appliance check only those clients that connect through one subnet if you have already installed the clients on all of the computers. Other clients accessing the corporate network at that location are allowed to pass through without authentication. As the client is installed on other clients, you can add their addresses to the Client IP address range or use a different authentication strategy.

See Adding client IP address ranges to the list of addresses that require authentication.