What is a CAC (get your mind out of the gutter)?

Common Access Card 101

If you have ever worked on a project for the Department of Defense, you probably already know what a CAC is. For those who have not worked on a DOD project, this will give you a very tiny bit of background on “whats a CAC?”

First off, a CAC is the ATM of DOD. By that I mean most folks call it a “CAC Card”, an oxymoron, much like they do an “ATM Machine”. Also, it is another of DOD’s TLA’s (Three Letter Acronyms) and they are famous for their TLAs.

CAC stands for Common Access Card. Hence, the “CAC Card” redundancy.

The Common Access Card (CAC) is a United States Department of Defense (DoD) smart card issued as standard identification for active-duty military personnel, reserve personnel, civilian employees, other non-DoD government employees, state employees of the National Guard, and eligible contractor personnel. It is used as a means of access control to various buildings, systems, whatever needs to know who you are before letting you in. I  will now discuss how a CAC can be used in association with SiteMinder to control access to protected systems. For our purposes, CAC is a smart card you can load up with X.509 certificates.  CACs require a card reader on the PC, so we will assume that one has been installed, and the drivers loaded.

CA has an optional module available to read and process CAC certificates and pass them on to the Policy Server for processing. It is an Authentication module that installs on a Windows Policy Server (.dll based). It identifies the person at the browser like any other authentication method (LDAP, AD, ODBC, et. al). Once identified, it is up to the Policy Server to decide what to do next.

The system I worked with utilized Active Directory, via LDAP, as a User Store. Setting up CAC Authorization was very simple. Install the module and set the library properly in the Policy Server. Then you need to map X.509 certificate attributes, by issuer, to AD attributes. Once a CAC is presented, the reader will provide the contents via the CA X.509 code.  If the mapped attribute on the certificate matches a corresponding attribute in AD  the user is Authenticated.  The code installs on the Policy Server so any agent should be able to use this method for authentication.

Once you have all this configured, accessing a protected resource can be as simple as going to the URL, inserting your CAC in the reader, entering your CAC PIN, and you are there.

For more information regarding the Siteminder CAC module, contact IDMWorks.