Hi:
I’m setting up a RAP to extend our corporate ssid to a remote site.
I’ve gotten the RAP to connect, and the corporate ssid shows up and remote users can connect, and authenticate to Active Directory via Clearpass.
Lovely!
Now I’d like to configure a split tunnel at the remote site.
The current Clearpass policies check IF user is in the corporate group AND the computer is an AD domain member THEN they are assigned to the corporate role.
To configure a split tunnel, I’m assuming that I’d want to add a rule in Clearpass that applies a different policy for RAP users, something like:
IF computer is a domain member, AND user is in the corporate group, AND AP group is Remote-AP, THEN apply a “corp-remote” role. The corp-remote role would have a permit action for corporate internal networks and a “route src-nat” action for all other addresses.
Does that seem like the best way to do this, or are there other best practices?
Thanks.
Tony