Hi, I have remote access setup for faculty, staff and students using FMC/FTD,FXOS and I am curious if there is a better way to accomplish an objective. For example, we have a server support team (SAS) that want to tunnel traffic to certain subnets when on campus, but not when off campus. We have a public /16, so many of our systems are on public ranges. The problem is that some things while on campus require vpn, and some do not. But when off campus, all would require vpn tunneling. So for off campus access I have one connection profile with a group policy and a split tunnel acl that basically just does all 172.16.0.0 and all of our public /16 When on campus, I have a more specific connection profile with a group policy that has a more specific split tunnel acl.
Is this the best/only way to do this? Is there a way to have a split tunnel assigned based on the requester ip? Basically, if request comes from 172.16.0.0 or 126.96.36.199 then apply the on campus acl, anything else apply the off campus acl? I can't really see a way to avoid the two connection profile/two group policy approach since you can only have one split tunnel acl per group policy and only one group policy per connection profile.
Unless I'm missing something?
The only way to avoid separate connection profiles and associated group policies would be to have something external like ISE dynamically change the authorization (CoA) - i.e. switch the session to a separate connection profile automatically based on the user's contextual information post-initial login.
It would still use separate connection profiles but you would not have to publish them in the dropdown list and would not have to require users to choose among them.
Thank you for the reply. We do not have ISE, unfortunately. We do have FreeRADIUS. But the hope was to avoid two connection profiles for each of these situations. It sounds like we would still have needed that anyway.
Thanks for the input. The challenge was not so much to separate students from faculty, but to have a different split tunnel acl based on source ip address.