Auditing

Recently, a fourth ``A'' has been added to AAA services: auditing. This term describes the pro-active analysis of accounting data and information such as the previously mentioned sFlow or NetFlow to make additional conclusions about user behavior. Auditing is a long-term process that is done as part of basic maintenance, and can give insight as to when user behavior does not match site policy, or when site policy has to be updated.

For example, a user may have logged into a particular server when the intent of the site policy was to deny that user access to that server. An audit of the AAA records would indicate that an authenticated user was authorized to access that server. However, since the intent was to deny that user access, the audit would indicate that the site policy has to be updated. Once the policy was updated, further audits would monitor long-term behavior, to see if the policy was, in fact, being enforced.

Auditing can serve an additional purpose, which is to determine if the NASes are enforcing the authorization policies sent to them. This analysis can potentially indicate when a NAS has been compromised.