6.2.6.4 EXCLUDEALL [user|host|group|host_group|internet] who
The EXCLUDEALL line prevents usage of all capabilities defined by all privileges by a particular user, host, group, host_group, IP address, or project. If you specify group or host_group, it must be defined by a GROUP or HOST_GROUP line in the RLM options file.
Portions of the INTERNET address can be specified with a '*' which matches any address, e.g. 172.16.7.*
For a list of the privileges available, see the table at the beginning of this chapter.