We have already looked at authentication and authorization. In this third article, we’ll take a look at the accounting process, the process of monitoring and recording a client’s use of the network, and we’ll describe why it’s essential that the RADIUS server monitors user activity on the network.
RADIUS security is composed of three components: authentication, authorization, and accounting. These three links in the RADIUS security chain are often referred to by their acronym, “AAA”.
The first article in our series described the authentication process, whereby the RADIUS server prevents unauthorized users from accessing the system.
The second article described the authorization process, whereby the RADIUS server restricts what each user can and cannot do while logged into the system.
Advantages of RADIUS Accounting
Users are authenticated on the network through the process of authorization, and their activities, once logged on, are restricted by the process of authorization. So what purpose does RADIUS accounting serve?
There are several reasons to use RADIUS accounting:
RADIUS accounting records the logon and logoff time of each user, so it’s possible to correlate network access with malfunctions, security breaches, and other problems. If something untoward happens on a network, RADIUS accounting can show what clients were logged on at the time.
RADIUS accounting can provide metrics on network usage. Usage trends can be tracked and used in capacity planning, scheduling planned outages, or organizing help desk on-call availability.
Remember that the “DI” in RADIUS stands for “dial-in”? Although not a major concern for most networks anymore, some networks may still charge their users according to the time they spend on the network. Back when dial-up was the only access available for consumers, RADIUS accounting was used by ISPs to track and bill for their customers’ For any network that bills for access time, RADIUS accounting is still the way to go.
How Does RADIUS Accounting Work?
Simply put, when a user authenticates with RADIUS, an entry is made in a database that records the logon event, including the user name, IP address, and any other information that might be relevant for tracking and monitoring purposes. The same recording occurs when the user logs off. The accumulated record of logon and logoff events creates an audit trail that can be reported and analyzed.
To take full advantage of RADIUS accounting, a reporting capability that can easily access the accounting data in the database in a format that works best for each individual organization is required.
Implementing RADIUS Accounting
Like authentication and authorization, implementing accounting on your RADIUS server requires some know-how, planning, and testing. Because of the flexibility in what can be recorded, it’s sometimes difficult to know what data would be useful to keep. It might not be practical or advisable to keep everything because of the added load on the network and the database. At the same time, anything that might be important should not be left out. Often the best way to implement RADIUS accounting is to bring in an outside expert who knows organizations like yours and what they typically need to put into and get out of RADIUS accounting data.
Although it may seem that accounting, the third link of the AAA network security chain, is less critical than the other two security processes, it really is no less important. The price of security is eternal vigilance—it’s not a set-it-and-forget-it proposition, and even if you outsource responsibility for security to a third party, someone needs to keep watch. The monitoring that RADIUS accounting provides can be invaluable in tracking down, diagnosing, and fixing problems. No RADIUS security setup is complete without the accounting piece, so think about what accounting data would be most relevant to your organization, and make plans to put RADIUS accounting in place.
As with any security system, each part of the RADIUS server must be optimized for it to function effectively.
The three A’s of RADIUS security rely on each other. RADIUS security must be implemented with a holistic view of how each piece contributes to the entire product—employing only one or two of the links in the chain that is RADIUS security may leave gaping holes in your security system. Only by understanding the importance of each aspect of your security server will you be able to create a network that is efficient, streamlined, and safe.