diff --git a/lib/puppet/network/authstore.rb b/lib/puppet/network/authstore.rb
index 51fd3413834..bd19aeb9c04 100755
--- a/lib/puppet/network/authstore.rb
+++ b/lib/puppet/network/authstore.rb
@@ -150,7 +150,16 @@ def ip?
 
       # Does this declaration match the name/ip combo?
       def match?(name, ip)
-        ip? ? pattern.include?(IPAddr.new(ip)) : matchname?(name)
+        if ip?
+          if pattern.include?(IPAddr.new(ip))
+            Puppet.deprecation_warning "Authentication based on IP address is deprecated; please use certname-based rules instead"
+            true
+          else
+            false
+          end
+        else
+          matchname?(name)
+        end
       end
 
       # Set the pattern appropriately.  Also sets the name and length.
@@ -212,7 +221,6 @@ def matchname?(name)
 
       # Convert the name to a common pattern.
       def munge_name(name)
-        # LAK:NOTE http://snurl.com/21zf8  [groups_google_com]
         # Change to name.downcase.split(".",-1).reverse for FQDN support
         name.downcase.split(".").reverse
       end
diff --git a/spec/integration/network/rest_authconfig_spec.rb b/spec/integration/network/rest_authconfig_spec.rb
index fb21abddd98..129a9550c02 100644
--- a/spec/integration/network/rest_authconfig_spec.rb
+++ b/spec/integration/network/rest_authconfig_spec.rb
@@ -44,12 +44,31 @@ def add_regex_rule(regex, rule)
   end
 
   def request(args = {})
-    { :ip => '10.1.1.1', :node => 'host.domain.com', :key => 'key', :authenticated => true }.each do |k,v|
-      args[k] ||= v
-    end
+    args = {
+      :key => 'key',
+      :node => 'host.domain.com',
+      :ip => '10.1.1.1',
+      :authenticated => true
+    }.merge(args)
     ['test', :find, args[:key], args]
   end
 
+  it "should warn when matching against IP addresses" do
+    add_rule("allow 10.1.1.1")
+
+    @auth.should allow(request)
+
+    @logs.should be_any {|log| log.level == :warning and log.message =~ /Authentication based on IP address is deprecated/}
+  end
+
+  it "should not warn when matches against IP addresses fail" do
+    add_rule("allow 10.1.1.2")
+
+    @auth.should_not allow(request)
+
+    @logs.should_not be_any {|log| log.level == :warning and log.message =~ /Authentication based on IP address is deprecated/}
+  end
+
   it "should support IPv4 address" do
     add_rule("allow 10.1.1.1")