Cisco ASA will authenticate the user attempting to access the asset that is protected by Cisco ASA, after user authenticated Cisco ASA will pass the credential to TACACS+ or RADIUS. The Cisco ASA is the authenticator and the user is supplicant, this is known as cut-through proxy.
An example scenario that user can bypass the Web Application Firewall by using RDP to connect to the DMZ, you want to add an additional layer of authentication so that user that attempts to use RDP must be authenticated first.
Create AAA server profile.
aaa-server RADIUS_SERVER protocol radius aaa-server RADIUS_SERVER (DMZ) host 192.168.1.1 timeout 300 key test-key authentication-port 1812 accounting-port 1813 end
RADIUS_SERVER is the profile name you can name anything you like.
aaa-server RADIUS_SERVER (DMZ) host 192.168.1.1 The zone within the brackets is where the AAA server is located, the host IP address is the address of the AAA server.
Create the access-list to check the interesting traffic. TCP3389 is the default RDP service port number.
access-list remote_auth extended permit tcp any host 192.168.200.1 eq 3389
As long as there is RDP connection to 192.168.200.1 it will be grouped.
Create the aaa authentication.
aaa authentication match remote_auth outside RADIUS_SERVER
This line will authenticate user from outside zone that is attempting to use RDP.
You can create an exemption list so that mac addresses in the list is not needed to authenticate if there is a match.
It may be a proxy that does not require authentication, because the user is the actual user that is accessing the asset and not the proxy, suppose the proxy server mac address is aaaa.bbbb.cccc.
mac-list EXEMPTION permit aaaa.bbbb.cccc ffff.ffff.ffff aaa mac-exempt match EXEMPTION