Physical & Logical Access Proof Of Concept - Pilot


The goal of the proof of concept - pilot is to demonstrate a combined logical and physical access solution by using a single smart card and by using the NPKI as the credential supplier for the participants of the proof of concept - pilot.


  1. Logical access provides access to the network transport services, the network and to resources.
  2. Physical access provides authorized access to building and/or rooms.
  3. Strong authentication, multi factor authentication based on something you know and something you have (smart card and pin code / passphrase).


The following objectives are to be addressed in this proof of concept - pilot:

  1. Physical access to buildings via card reader (smart card).
  2. Logical access to network transport services (wifi, soft cert).
  3. Logical user authentication and access to CIS (smart card).
  4. Mobile access to network transport services (soft cert on mobile device).
  5. Authentication based secure printing (smart card).
  6. Digital signature and encryption (smart card).


  1. Physical access to two locations.
  2. Logical access to NR CIS.
  3. Access to network transport services from iOS devices.

Proposed Proof of Concept solution:

The architecture is based on Entrust Identity Guard; this single platform can provide controlled access to buildings / rooms (physical access) and access to networks (logical access).


The Entrust Identity Guard will function as the heart of the authentication system. It makes use of the NATO PKI (NPKI).

Three doors will be equipped with an electrical releasable lock and a smart card reader. Upon entry the smart card will be inserted in the smart card reader and access will be either granted (authorized user) or access will be denied (non-authorized user). Two separate rooms will be equipped with smart card readers; this is to demonstrate the possibility to define specific access to users.

In the office the user connects to the network transport services (wireless network), access to the network transport services is based on presenting a valid NPKI issued digital certificate. This digital certificate is stored on the local laptop / computer. The NPKI issued certificate is only used for machine authentication to the network transport services.  

Once connected to the network transport services the user inserts his/hers smart card into the machine (laptop/computer) and establishes a VPN connection. The authentication used for establishing the VPN is also based on NPKI issued digital certificates. The NPKI issued digital certificates used for the VPN authentication are stored on the smart card. This provides strong authentication for access via VPN.

Windows logon will be replaced with smart card logon, making use of NPKI issued digital certificates stored on the smart card. This provides strong authentication for access to the NR network.

Mobile devices (iOS, Apple devices) will be equipped with NPKI issued soft digital certificates which will be used to authenticate the mobile device to the network transport services.


The project runs from 01 July 2012 till 31 August 2012.
The following milestones have been identified:
1- Installation of the hardware (5-6 July 2012).
2- Installation of the software (9-10 July 2012, not confirmed yet).
3- Testing (11 July 2012 - 24 August 2012).
4- Test evaluation (27-28 August 2012).
5- Test report creation (29-31 August 2012).

Planning July 2012

Planning August 2012


Point of Contact NCIA:

Mr. Eddie Netten

Tel: +32 65 44 2278

Mr. John Tatman

Tel: +32 65 44 3678

Business Partners:


Uni Business


The Physical and Logical Proof of Concept - Pilot demontrates a solution. It is not our intent to promote the vendor as the only available solution. Entrust is chosen due to the presence of Entrust as our operational NPKI system. Uni Business is an integrator who is experienced in working for NATO.


Please enter a search term !