How does the CAS internal authentication work?