Cisco IOS Firewall Authentication Proxy
AAA server configuration

Authentication Proxy Configuration
The authentication proxy is applied in the inward direction at any interface on the router where per-user authentication and authorization occurs. Applying the authentication proxy inward at an interface causes it to intercept a user’s initial connection request before that request is subjected to any other processing by the firewall. If the user fails to authenticate with the AAA server, the connection request is dropped.

How the authentication proxy is applied depends on the security policy. For example, All traffic through an interface can be blocked, and then the authentication proxy feature can be enabled to require authentication and authorization for all user-initiated HTTP, HTTPS, FTP, or Telnet connections. Users are authorized for services only after successful authentication with the AAA server. The authentication proxy feature also enables administrators to use standard ACLs to specify a host or group of hosts whose initial HTTP, HTTPS, FTP, or Telnet traffic triggers the proxy.

Cisco Secure ACS auth-proxy Service
The Cisco Secure ACS for Windows Server AAA server can be configured to support authentication proxy by configuring the AAA authorization auth-proxy service . This creates a new section in the Group Setup frame in which user profiles can be created. This does not interfere with other types of services that the AAA server may have.