https://community.cisco.com/t5/network-access-control/cut-through-proxy-configuration-issue/m-p/1914538#M203618 <HTML><HEAD></HEAD><BODY><P> Nevermind, I've gotten this to work.&nbsp; I switched from RADIUS to TACACS+, and then followed the directions here: <A _jive_internal="true" href="https://community.cisco.com/docs/DOC-14695">https://supportforums.cisco.com/docs/DOC-14695</A>.&nbsp; I still had issues afterwards where the browser would say "Looking up INTERNALGATEWAY, then time out before loading the authentication prompt.&nbsp; I ended up adding an A record to our DNS server named INTERNALGATEWAY with the IP address of our internal network interface, and now I get the authentication prompt.&nbsp; Just wanted to post this here in case anyone else had this issue as well.</P></BODY></HTML> Wed, 14 Mar 2012 15:56:41 GMT DevinHill 2012-03-14T15:56:41Z https://community.cisco.com/t5/network-access-control/cut-through-proxy-configuration-issue/m-p/1914537#M203603 <P>I am having issues setting up cut-through proxy on an ASA 5510 running version 8.4 (2).&nbsp; All I'm trying to do is make it so user's have to log in to access external websites (both http and https), based on an Active Directory group called "InternetAccess".&nbsp; If a user is in that group, they can access the internet, if they aren't they are blocked.&nbsp; I've checked several links recommended in the support forums, but I can't seem to get this to work properly.&nbsp; Also, I'm using a Windows Server 2008R2 RADIUS server for authenticatiom, via the Windows Network Policy and Access Services.&nbsp; </P><P></P><P>So far, here is what I've tried.<BR />-Configured a RADIUS server group on the ASA.<BR />-Added the IP address to the radius server.<BR />-Tested Authentication via the Test button is ASDM and entered my Active Directory credentials.&nbsp; The test is successful.&nbsp; The Authorization test fails.<BR />-Configured the RADIUS server Connection Request Policy to allow the ASA as a client via friendly name.<BR />-Configured the RADIUS server Network Policy to allow the "InternetAccess" group.</P><P></P><P>On the ASA, typed the following commands:<BR />access-list myauth permit tcp internalIPrange netmask any eq 80<BR />access-list myauth permit tcp internalIPrange netmask any eq 443<BR />aaa authentication match myauth inside RADIUSSERVERNAME</P><P></P><P>After running these commands, HTTPS sites give an "invalid certificate error" and then the standard "Internet Explorer couldn't load this page" if you click through to ignore the certificate error.&nbsp; HTTP sites just go straight to the "Internet Explorer couldn't load this page" error.&nbsp; I'm never prompted for login information.&nbsp; Is there something else I'm missing?&nbsp; Should I be using the Cisco Active Directory agent at all?&nbsp; There's a lot of information on this topic and quite honestly I'm a bit lost when it comes to confguring this.</P> Mon, 11 Mar 2019 01:53:06 GMT https://community.cisco.com/t5/network-access-control/cut-through-proxy-configuration-issue/m-p/1914537#M203603 DevinHill 2019-03-11T01:53:06Z https://community.cisco.com/t5/network-access-control/cut-through-proxy-configuration-issue/m-p/1914538#M203618 <HTML><HEAD></HEAD><BODY><P> Nevermind, I've gotten this to work.&nbsp; I switched from RADIUS to TACACS+, and then followed the directions here: <A _jive_internal="true" href="https://community.cisco.com/docs/DOC-14695">https://supportforums.cisco.com/docs/DOC-14695</A>.&nbsp; I still had issues afterwards where the browser would say "Looking up INTERNALGATEWAY, then time out before loading the authentication prompt.&nbsp; I ended up adding an A record to our DNS server named INTERNALGATEWAY with the IP address of our internal network interface, and now I get the authentication prompt.&nbsp; Just wanted to post this here in case anyone else had this issue as well.</P></BODY></HTML> Wed, 14 Mar 2012 15:56:41 GMT https://community.cisco.com/t5/network-access-control/cut-through-proxy-configuration-issue/m-p/1914538#M203618 DevinHill 2012-03-14T15:56:41Z