This article describes how to integrate Palo Alto Captive Portal with RSA Cloud Access Service (CAS) using RSA MFA API (REST).

Configure CAS

Perform these steps to configure CAS for REST API.

Procedure

1. Sign in to RSA Cloud Administration Console.
2. Navigate to Platform > API Access Management > Authentication API Keys.
3. Add a new Authentication API Key.
4. Copy the API Key and URL to use when setting up the connector.
   
5. Fetch the corresponding CA certificates from your Tenant URL; they will be used later in the Palo Alto configuration.
   
6. Click Publish Changes and wait for the operation to be completed.
   Your application is now enabled for SSO. 

Configure Palo Alto Captive Portal

Perform these steps to configure Palo Alto Captive Portal.

Procedure

1. Log in to Palo Alto Captive Portal Admin Console.
2. Go to Device > Multi-Factor Authentication Profile and enter the following details copied from RSA.
   1. API Host: CAS hostname
   2. Client Key: The value of the key copied from the RSA Cloud Administration Console.
   3. Access ID: The name of the API Key fetched from the RSA Cloud Administration Console.
      
3. To create the Authentication Rule, go to Device > User Identification > Authentication Portal and enter the following details.
   1. Mode: Choose Redirect.
   2. SSL/TLS Service Profile: Select the created Service Profile.
   3. Authentication Profile: Select the created Authentication Profile.
   4. Redirect Host: Specify the hostname or IP address of the Redirect Host that is accessible to the systems expected to use Captive Portal.
      
4. Go to Objects > Authentication and create an Authentication Enforcement by providing the following details.
   1. Provide the Profile Name, select the Authentication Method as web-form, and select the Authentication Profile.
      
5. Go to Policies > Authentication and create an Authentication Policy Rule by providing the following details.
   1. On the General tab, provide a name for the rule as shown in the following screenshot.
      
   2. On the Actions tab, under Log Settings, select the Log Authentication Timeouts checkbox.
      
6. Go to Network > Interface Management Profile and choose the profile.
7. Select the Response Pages checkbox.
   
8. Go to Device > Authentication, assign the MFA profile to the required authentication profile, and ensure that this profile is applied in the Authentication Portal and Authentication Enforcement settings. In the following example, we will use the SAML profile named RSA_SAML, which was previously used only for SAML authentication. We will now configure it to use REST API requests to RSA Cloud by enabling Additional Authentication Factors.
   
9. Commit the changes to your firewall. 

The configuration is complete.