A firewall can be configured to require users to authenticate before connections are permitted. As soon as an authentication is successful, it is cached and used to permit subsequent connections from the same user.
The firewall functions as an authentication proxy, because cached authentication information is used in place of repeated authentication credentials entered by the user. Connections simply “cut through” the firewall in a very efficient fashion.
Devices that initiate connections but can't participate in authentication (Cisco IP phones, for example) can be exempted from AAA and allowed to pass through the firewall.
You can use the following steps ...