Cut-thru authentication provides an added layer of security and a central point to manage access-lists, the ACS in this case.
First, create a "downloadable IP ACL" within the ACS framework.
Shared Profile Components -> Downloadable IP ACLs -> Add (ACL and ACE's)
Next, associate this ACL with an ACS user or group. Note that you might have to modify "Interface Configuration" and "Advanced Options" to make "downloadable ACLs" appear in the user definition pages.
Now, on the ASA:
First create an access-list to define interesting traffic:
access-list redzone permit tcp any any eq telnet
Next permit access to either the appliance's virtual telnet addresses or at least one inside target host via telnet in the access-list applied on the outside interface:
access-list outside_in permit tcp any host 10.35.0.252 eq telnet
Next, configure AAA authentication:
aaa authentication match redzone outside myRadiusServer
Note that you should configure your RADIUS server:
aaa-server myRaidiusServer protocol radius
aaa-server myRadiusServer (outside) host H.O.S.T key secret
You can also configure local authentication with the appliance:
virtual telnet h.0.s.t
Remember to allow telnet access to the this virtual telnet IP address via the outside_in access-list.
Once the user is authenticated, you can verify by:
You will see the temporary ACL in the output of the show command. Note that no "authorization" configuration was necessary when using RADIUS (contrast with the post that describes TACACS+ authentication and authorizaton).