02-07-2019 07:05 AM - edited 02-21-2020 09:33 PM
Hi, I have remote access setup for faculty, staff and students using FMC/FTD,FXOS and I am curious if there is a better way to accomplish an objective. For example, we have a server support team (SAS) that want to tunnel traffic to certain subnets when on campus, but not when off campus. We have a public /16, so many of our systems are on public ranges. The problem is that some things while on campus require vpn, and some do not. But when off campus, all would require vpn tunneling. So for off campus access I have one connection profile with a group policy and a split tunnel acl that basically just does all 172.16.0.0 and all of our public /16 When on campus, I have a more specific connection profile with a group policy that has a more specific split tunnel acl.
Is this the best/only way to do this? Is there a way to have a split tunnel assigned based on the requester ip? Basically, if request comes from 172.16.0.0 or 129.97.0.0 then apply the on campus acl, anything else apply the off campus acl? I can't really see a way to avoid the two connection profile/two group policy approach since you can only have one split tunnel acl per group policy and only one group policy per connection profile.
Unless I'm missing something?
02-07-2019 07:13 PM
The only way to avoid separate connection profiles and associated group policies would be to have something external like ISE dynamically change the authorization (CoA) - i.e. switch the session to a separate connection profile automatically based on the user's contextual information post-initial login.
It would still use separate connection profiles but you would not have to publish them in the dropdown list and would not have to require users to choose among them.
02-08-2019 05:26 AM
Thank you for the reply. We do not have ISE, unfortunately. We do have FreeRADIUS. But the hope was to avoid two connection profiles for each of these situations. It sounds like we would still have needed that anyway.
02-08-2019 01:50 AM
02-08-2019 05:27 AM
Thanks for the input. The challenge was not so much to separate students from faculty, but to have a different split tunnel acl based on source ip address.
02-08-2019 05:09 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide