You can try this split tunneling setup:
I did this exact same config that we use for our remote users using a RAP , with the split tunneling setup the remote user can use their local resources and all the other traffic (Non-local, etc..) doesn't have to come all the way back to the campus .
Under the Private networks you define the IP Spaces that you want the users to tunnel back to HQ office:
user-role REMOTE-SECURE-SPLIT-TUNNEL-B
access-list session REMOTE-SECURE-SPLIT-TUNNEL-ACL-B
access-list session allowall
ip access-list session REMOTE-SECURE-SPLIT-TUNNEL-ACL-B
any any svc-dhcp permit
any alias PRIVATE-NETWORKS-B any permit
any any any route src-nat
wlan virtual-ap "REMOTE-SECURE-SPLIT-TUNNEL-VAP-PROFILE-B"
aaa-profile "AAA-REMOTE-SECURE-DOT1X-SPLIT-TUNNEL-PROFILE-B"
ssid-profile "REMOTE-SECURE-SSID-PROFILE-B"
vlan "vlan"
forward-mode split-tunnel
band-steering
aaa profile "AAA-REMOTE-SECURE-DOT1X-SPLIT-TUNNEL-PROFILE-B"
initial-role "REMOTE-SECURE-SPLIT-TUNNEL-B"
authentication-dot1x "AAA-AUTH-REMOTE-SECURE-802.1X-PROFILE-B"
dot1x-default-role "REMOTE-SECURE-SPLIT-TUNNEL-B"
dot1x-server-group "REMOTE-SECURE-AUTH-DOT1X-B"
enforce-dhcp
ap-group "Remote-AP-Split-Tunnel"
virtual-ap "REMOTE-SECURE-SPLIT-TUNNEL-VAP-PROFILE-B"
ap-system-profile "REMOTE-SPLIT-TUNNEL-AP-SYSTEM-PROFILE-B"
Corporate DNS servers
ap system-profile "REMOTE-SPLIT-TUNNEL-AP-SYSTEM-PROFILE-B"
dns-domain <domain_name1>
dns-domain <domain_name2>