A Common Access Card (CAC) is a smart card used for identification of active-duty military personnel, selected reserve, US Department of Defence (DoD) civilian employees and eligible contractor personnel. In addition to providing physical access to buildings and protected areas, it also allows access to DoD computer networks and systems satisfying two-factor authentication, digital security and data encryption. It leverages a Public Key Infrastructure (PKI) Security Certificate to verify a cardholder’s identity prior to allowing access to protected resources.

The Edge Security Pack (ESP) feature of the LoadMaster supports integration with DoD environments leveraging CAC authentication and Active Directory application infrastructures. The LoadMaster acts on behalf of clients presenting X.509 certificates using CAC and becomes the authenticated Kerberos client for services.

CAC authentication can also be used to authenticate access to the LoadMaster WUI. For more information on this, please refer to the Using CAC Authentication for LoadMaster WUI Access section.

The request for and presentation of the client certificate happens during initial SSL session establishment. There are two core elements to the process of a user gaining access to an application with CAC:

  • Authentication – occurs during SSL session establishment and entails:
  • Verifying the certificate date
  • Verifying revocation status using Online Certificate Status Protocol (OCSP)
  • Verifying the full chain to the Certificate Authority (CA)
  • Authorization – occurs after SSL session establishment and the matching of the certificate Subject Alternative Name (SAN) against the User Principal Name (UPN) of the appropriate principal in Active Directory.

Document Purpose

The purpose of this document is to provide step-by-step instructions on how to configure the LoadMaster to use DoD CAC authentication.