I am having issues setting up cut-through proxy on an ASA 5510 running version 8.4 (2). All I'm trying to do is make it so user's have to log in to access external websites (both http and https), based on an Active Directory group called "InternetAccess". If a user is in that group, they can access the internet, if they aren't they are blocked. I've checked several links recommended in the support forums, but I can't seem to get this to work properly. Also, I'm using a Windows Server 2008R2 RADIUS server for authenticatiom, via the Windows Network Policy and Access Services.
So far, here is what I've tried.
-Configured a RADIUS server group on the ASA.
-Added the IP address to the radius server.
-Tested Authentication via the Test button is ASDM and entered my Active Directory credentials. The test is successful. The Authorization test fails.
-Configured the RADIUS server Connection Request Policy to allow the ASA as a client via friendly name.
-Configured the RADIUS server Network Policy to allow the "InternetAccess" group.
On the ASA, typed the following commands:
access-list myauth permit tcp internalIPrange netmask any eq 80
access-list myauth permit tcp internalIPrange netmask any eq 443
aaa authentication match myauth inside RADIUSSERVERNAME
After running these commands, HTTPS sites give an "invalid certificate error" and then the standard "Internet Explorer couldn't load this page" if you click through to ignore the certificate error. HTTP sites just go straight to the "Internet Explorer couldn't load this page" error. I'm never prompted for login information. Is there something else I'm missing? Should I be using the Cisco Active Directory agent at all? There's a lot of information on this topic and quite honestly I'm a bit lost when it comes to confguring this.