1 00:00:07,360 --> 00:00:08,810 - [Instructor] Accounting is the process 2 00:00:08,810 --> 00:00:12,100 of auditing and monitoring what a user does 3 00:00:12,100 --> 00:00:14,860 once a specific resource is accessed. 4 00:00:14,860 --> 00:00:17,560 This process is sometimes overlooked. 5 00:00:17,560 --> 00:00:19,760 However, as a security professional, 6 00:00:19,760 --> 00:00:22,184 it is important to be aware of accounting 7 00:00:22,184 --> 00:00:25,300 and to advocate that it be implemented 8 00:00:25,300 --> 00:00:27,410 because of the great help it provides 9 00:00:27,410 --> 00:00:29,880 during detection and investigation 10 00:00:29,880 --> 00:00:31,950 of cybersecurity breeches. 11 00:00:31,950 --> 00:00:33,350 When accounting is implemented, 12 00:00:33,350 --> 00:00:36,420 an audit trail log is created and stored 13 00:00:36,420 --> 00:00:41,318 that details when the user has accessed the resource, 14 00:00:41,318 --> 00:00:44,610 what the user did with that resource, 15 00:00:44,610 --> 00:00:47,100 and when the user stopped using the resource. 16 00:00:47,100 --> 00:00:49,680 Given the potential sensitive information included 17 00:00:49,680 --> 00:00:51,620 in the auditing logs, 18 00:00:51,620 --> 00:00:54,380 special care should be taken to protect them 19 00:00:54,380 --> 00:00:56,950 from unauthorized access. 20 00:00:56,950 --> 00:01:01,570 In RADIUS, the accounting exchange consists of two messages, 21 00:01:01,570 --> 00:01:06,120 accounting-request and accounting-response. 22 00:01:06,120 --> 00:01:08,580 Accounting can be used, for example, 23 00:01:08,580 --> 00:01:11,020 to specify how long a user 24 00:01:11,020 --> 00:01:13,720 has been connected to the network, 25 00:01:13,720 --> 00:01:15,760 the start and stop of a session. 26 00:01:15,760 --> 00:01:18,070 The RADIUS exchange is authenticated 27 00:01:18,070 --> 00:01:20,550 by using a shared secret key 28 00:01:20,550 --> 00:01:23,790 between the access server and the RADIUS server. 29 00:01:23,790 --> 00:01:26,170 Only the user password information 30 00:01:26,170 --> 00:01:29,050 in the access request is encrypted. 31 00:01:29,050 --> 00:01:31,840 The rest of the packets are sent in plain text. 32 00:01:31,840 --> 00:01:35,490 You can configure periodic RADIUS accounting packets 33 00:01:35,490 --> 00:01:40,100 to allow the RADIUS server, such as Cisco ISE, 34 00:01:40,100 --> 00:01:43,810 to track which sessions are still active on the network. 35 00:01:43,810 --> 00:01:45,310 In the following example, 36 00:01:45,310 --> 00:01:48,410 periodic updates are configured to be sent 37 00:01:48,410 --> 00:01:51,170 whenever there is new information 38 00:01:51,170 --> 00:01:53,750 as well as a periodic update 39 00:01:53,750 --> 00:01:55,633 once every 24 hours.