I am hoping to hear from some WAF experts out there with some suggestions/design help.
The current solution I am trying to provide is providing wireless access to guest users at all of our sites spaced throughout the globe. We want to restrict access of guests to the guest signup webpage based on where they are located. In other words, the guests need to be at one of our sites in order to sign up. We have sponsors, which are employees that can approve wireless access for those guests. Sponsors should be allowed to connect to the sponsor website from anywhere, but will be prompted to authenticate via SAML before approving access. Currently, the guest webpage and the sponsor webpage are different URLs but have the same host and domain names and use the same tcp ports.
My initial solution was to create two ACLs. One ACL does a host and extended match where the extended match denies anyone not coming from one of our site IP addresses (WAN circuit IP). The other ACL sends you to the authentication server based on another host and extended match. We just recently ran into the issue that the extended match can only do so many comparisons before you can't add anymore taking us back to the drawing board. Obviously, I've picked a bad design for longevity and scalability.
I have considered forcing the wireless team to set the sponsor URL to be a different host and domain name all together so I can force sponsor requests into a different WAF service. Then I can set an IP reputation filter on the remaining guest service. I do not know if IP reputation filter has an IP address entry limit or not though.
I am just not sure where to go from here and was looking to see if anyone had any experience with this as I am a bit new to ACLs and URL translations on the WAF.