A Common Access Card (CAC) is a smart card used for identification of active-duty military personnel, selected reserve, US Department of Defence (DoD) civilian employees and eligible contractor personnel. In addition to providing physical access to buildings and protected areas, it also allows access to DoD computer networks and systems satisfying two-factor authentication, digital security and data encryption. It leverages a Public Key Infrastructure (PKI) Security Certificate to verify a cardholder’s identity prior to allowing access to protected resources.

The Edge Security Pack (ESP) feature of the LoadMaster supports integration with DoD environments, leveraging CAC authentication and Active Directory application infrastructures. The LoadMaster acts on behalf of clients presenting X.509 certificates using CAC and becomes the authenticated Kerberos client for services.

The request for and presentation of the client certificate happens during initial SSL session establishment. There are two core elements to the process of a user gaining access to an application with CAC:

  • Authentication – occurs during SSL session establishment and entails:

  • Verifying the certificate date

  • Verifying revocation status using Online Certificate Status Protocol (OCSP)

  • Verifying the full chain to the Certificate Authority (CA)

  • Authorization – occurs after SSL session establishment and the matching of the certificate Subject Alternative Name (SAN) against the User Principal Name (UPN) of the appropriate principal in Active Directory.

For each certificate, it is possible to embed the URL of the OCSP server for the CA that generated it (Authority Information Access (AIA)). So you can have a different OCSP server for each certificate. The server configured on the LoadMaster is only for the cases where the user has not specified the OCSP server in the certificate, that is, the last resort server.

For more information, refer to the DoD Common Access Card (CAC) Authentication Feature Description.