diff --git a/app/models/media_object.rb b/app/models/media_object.rb
index 6276a1c8e3..589d789acc 100644
--- a/app/models/media_object.rb
+++ b/app/models/media_object.rb
@@ -319,7 +319,7 @@ def fill_in_solr_fields_that_need_sections(solr_doc)
 
   def fill_in_solr_fields_needing_leases(solr_doc)
     solr_doc['read_access_virtual_group_ssim'] = virtual_read_groups + leases('external').map(&:inherited_read_groups).flatten
-    solr_doc['read_access_ip_group_ssim'] = collect_ips_for_index(ip_read_groups + leases('ip').map(&:inherited_read_groups).flatten)
+    solr_doc['read_access_ip_group_ssim'] = (ip_read_groups + leases('ip').map(&:inherited_read_groups).flatten).uniq
     solr_doc[Hydra.config.permissions.read.group] ||= []
     solr_doc[Hydra.config.permissions.read.group] += solr_doc['read_access_ip_group_ssim']
   end
@@ -495,14 +495,6 @@ def calculate_duration
       section_solr_docs.collect { |h| h['duration_ssi'].to_i }.compact.sum
     end
 
-    def collect_ips_for_index ip_strings
-      ips = ip_strings.collect do |ip|
-        addr = IPAddr.new(ip) rescue next
-        addr.to_range.map(&:to_s)
-      end
-      ips.flatten.compact.uniq || []
-    end
-
     def sections_with_files(tag: '*')
       # TODO: Optimize this into a single solr query?
       section_ids.select { |m| SpeedyAF::Proxy::MasterFile.find(m).supplemental_files(tag: tag).present? }
diff --git a/config/initializers/policy_aware_modification.rb b/config/initializers/policy_aware_modification.rb
index fcccbeb565..af4ccf4563 100644
--- a/config/initializers/policy_aware_modification.rb
+++ b/config/initializers/policy_aware_modification.rb
@@ -113,3 +113,19 @@ def self.count(query, args = {})
     result['response']['numFound'].to_i
   end
 end
+
+# Override to expand IP address ranges
+Blacklight::AccessControls::Ability.class_eval do
+  def read_groups(id)
+    doc = permissions_doc(id)
+    return [] if doc.nil?
+    groups = Array(doc[self.class.read_group_field]).uniq
+    groups = groups.map do |g|
+      ip = IPAddr.new(g) rescue nil
+      ip.present? ? ip.to_range.map(&:to_s) : g
+    end.flatten.compact.uniq
+    rg = download_groups(id) | groups
+    Rails.logger.debug("[CANCAN] read_groups: #{rg.inspect}")
+    rg
+  end
+end