Auditing refers to the proactive analysis of accounting logs and other data (such as sFlow or NetFlow data). This analysis is a long-term process and is part of ongoing maintenance and monitoring. Auditing provides information about the user’s post-authentication behavior. It can provide insight on when to update local site policy to best match user behavior.
Auditing can also be used to determine when an NAS has been compromised, by monitoring NAS enforcement of the required authorization policies. For example, if a user manages to override site policy and log into a particular server when the intent of the site policy was to deny that user access, an audit of the AAA records would highlight that policy violation. Since the intent of the site policy - to deny that user access - was overturned by the user, the audit would indicate that the site policy should be updated by the network administrator to prevent future policy violations. Subsequent audits would monitor long-term behavior and thus ensure that the policy is being enforced.