Cut-Through Proxy (CTP) is a Cisco ASA feature that allows authentication of user traffic at the application layer before permitting access to network resources. This capability is especially useful for controlling inbound and outbound access to protocols like Telnet, HTTP, HTTPS, and FTP. CTP leverages the AAA (Authentication, Authorization, and Accounting) framework to determine who is accessing the network, what they are permitted to do, and to keep logs of their activity.

At the heart of CTP lies AAA, which is responsible for managing user identities and access policies. AAA encompasses three components:

  • Authentication confirms the user’s identity,
  • Authorization defines what resources the user can access, and
  • Accounting tracks user activity for auditing and reporting.

Cisco ASA supports two primary AAA protocols: RADIUS and TACACS+.

RADIUS (Remote Authentication Dial-In User Service) is an open standard that encrypts only the password during transmission. Traditionally, it uses UDP ports 1645 and 1646, but modern implementations default to ports 1812 (authentication and authorization) and 1813 (accounting). RADIUS requires two separate connections: one for authentication and authorization, and another for accounting.

TACACS+ (Terminal Access Controller Access-Control System Plus), on the other hand, is a Cisco-developed protocol that encrypts the entire packet for enhanced security. It uses TCP port 49 and relies on a single connection to handle all AAA functions. While TACACS originated from the U.S. Department of Defense, TACACS+ is Cisco’s proprietary enhancement and is widely used in Cisco-centric environments.

In lab environments, Cisco ISE (Identity Services Engine) is often used for TACACS+ or RADIUS-based AAA services, while Cisco Identity Services Engine (ISE) version 2.1 is commonly deployed for advanced policy and identity management.

How Cut-Through Proxy Works

Here’s how the CTP mechanism functions in a typical scenario:

  1. A client initiates a connection request to a protected resource.
  2. The ASA intercepts this request and prompts the user for a username and password.
  3. The user provides credentials, which are then captured by the ASA.
  4. These credentials are redirected to a configured AAA server.
  5. The AAA server validates the credentials.
  6. If authentication is successful, ASA establishes the connection and forwards the request to the original destination.
  7. If authentication fails, the request is dropped.

This user-based authentication process ensures that only authorized individuals are allowed to initiate sessions to or from protected network zones, while also providing traceability and control through accounting.

 

Configuring Cut-Through Proxy (CTP) on Cisco ASA Using TACACS+ and Cisco ISE

Setting up Cut-Through Proxy (CTP) on a Cisco ASA using TACACS+ provides robust user-based authentication for traffic such as Telnet, HTTP, HTTPS, and FTP. This configuration involves defining the AAA protocol, integrating with Cisco ISE, and verifying functionality with test credentials.

1. Configure TACACS+ on the ASA

To begin, define the AAA server protocol as TACACS+ on your Cisco ASA:

aaa-server name protocol tacacs+

 

Then specify the TACACS+ server’s IP address and the interface through which it will be reached:

aaa-server name interface host x.x.x.x

 

Optionally, set a timeout value for TACACS+ server responses:

timeout num-in-sec

 

Next, define the shared secret key used for communication between the ASA and the TACACS+ server:

key key

 

2. Define the Authentication Policy

To enforce CTP authentication on specific traffic, you must define an authentication rule:

aaa authentication include protocol interface source-subnet dest-subnet AAA-server-group

This rule tells the ASA which traffic to intercept and authenticate before allowing access.

 

You can customize user prompts with the following commands:

  • Prompt for credentials:
auth-prompt prompt your-message

 

  • Message on successful authentication:
auth-prompt accept your-message

 

  • Message on rejection:
auth-prompt reject your-message

 

3. Configure Cisco ISE

To support authentication requests from the ASA, you need to register the ASA as a network device in Cisco ISE.

1. In the ISE GUI, navigate to Administration> Network Resources > Network Devices

2. Click Add, and fill in:

  • Device Name
  • IP Address (Single IP, Subnet, or Range)
  • Enable TACACS+ and/or RADIUS as applicable
  • Shared secret to match what you configured on the ASA

This step allows ISE to recognize and respond to authentication requests from the ASA.

 

4. Create Users in ISE

Now, configure user credentials in ISE that will be used for authentication testing.

1. Navigate to Administration> Identity Management> Identities> Users

 

2. Click Create and fill out:

  • Username and optional description
  • Password (with complexity enforcement, e.g., 4–128 characters)
  • Choose options like password expiration, account lockout, etc.

These credentials will be matched when the ASA forwards authentication requests.

 

4. Create a ISE TACACS+ Device Admin policy set to authenticate and authorize this. 

 

5. Test the Configuration

Finally, validate the integration by manually testing the connection from the ASA:

test aaa-server authentication server-name host x.x.x.x username name password pass

This command confirms that the ASA can reach the ISE server, that the key matches, and that user authentication is successful.

By completing these steps, you’ll have a working CTP setup with TACACS+ on Cisco ASA, backed by user credentials in Cisco ISE. This configuration enhances network access control, accountability, and centralized authentication management.

 

Cut-Through Proxy (CTP) with RADIUS on Cisco ASA

Continuing from the previous setup using TACACS+, this guide walks you through configuring Cut-Through Proxy (CTP) on a Cisco ASA using RADIUS for AAA. Although RADIUS offers less granular command-level control than TACACS+, it is widely supported and still provides robust authentication, authorization, and accounting capabilities.

1. Configuring RADIUS on the ASA

Begin by specifying the AAA protocol as RADIUS:

aaa-server name protocol radius

 

Then configure the RADIUS server’s IP address and the interface through which it will be reached:

aaa-server name interface host x.x.x.x

 

Set a timeout value for server responses:

timeout num-seconds

 

Define the shared secret key for secure communication:

key shared-key

 

Next, define the authentication policy that will trigger user authentication for specific traffic flows:

aaa authentication include protocol interface src-subnet-mask dest-subnet-mask AAA-server-group

 

You can also customize user messages for the authentication prompts:

  • Prompt for credentials:
auth-prompt prompt your-prompt

 

  • Message upon successful authentication:
auth-prompt accept your-message

 

  • Message on rejection:
auth-prompt reject your-message

 

2. Registering the ASA in Cisco ISE

Now, register your ASA device as a client in Cisco ISE:

  1. In the ISE interface, go to Administration> Network Resources > Network Devices
  2. Click Create.
  3. Provide the device name and IP address. Under Authentication Options, check the box for RADIUS and input the shared secret to match what you configured on the ASA.

 

3. Creating Users in ISE

To support user-based authentication, you must define internal user accounts in ISE.

  1. Go to Administration> Identity Management> Identities> Users
  2. Click Create.
  3. Enter the username and configure the password settings, such as:
    • Password complexity (4–128 characters)
    • Account lockout policy
    • Optional password expiration settings

These user accounts will be validated against authentication requests forwarded from the ASA.

 

4. Create a ISE RADIUS policy set to authenticate and authorize this. 

 

5. Testing the RADIUS Integration

Once the ASA and ISE configurations are complete, verify the RADIUS authentication setup with the following command:

test aaa-server authentication name host x.x.x.x username username password password

This command helps ensure that your ASA can reach the RADIUS server, the credentials are valid, and the shared key matches.

By implementing CTP with RADIUS, you gain centralized user access control for services like Telnet, FTP, and HTTP/S. While it lacks TACACS+’s command authorization capabilities, RADIUS remains a reliable, standards-based protocol for user authentication.