Tracking Who Accessed What and When with RADIUS

They thought the network was quiet. It wasn’t. Every packet told a story of who accessed what and when—and RADIUS was the one keeping score.

RADIUS (Remote Authentication Dial-In User Service) is more than an access control protocol. It’s a logbook with precision timestamps, usernames, and session details. When configured correctly, it can answer the critical question: who touched which resource, at what exact moment, and from where.

Tracking “who accessed what and when” with RADIUS starts with its accounting feature. Every login and logout triggers an Accounting-Start and Accounting-Stop packet. Those packets contain vital fields:

• User-Name identifies the account.
• Acct-Session-Id ties events together into a single session.
• Acct-Status-Type records the action taken.
• NAS-IP-Address and Calling-Station-Id note where the session originated.
• Event-Timestamp pins it to an exact time.

By storing and indexing these logs, you create a clear audit trail. Combine RADIUS with a central logging system—SQL, NoSQL, or a specialized SIEM—and you can trace the full path of activity. This enables authorization reviews, compliance checks, and forensic analysis within seconds.

For deeper control, enable Interim-Updates. These send periodic packets during a session, giving you near real-time visibility of ongoing connections. When suspicious activity occurs, this data lets you act fast: identify the user, the resource accessed, and terminate or isolate the session without delay.

Security teams use RADIUS not just to authenticate, but to capture the complete chain of events. Without this telemetry, problems hide until it’s too late. With it, you know exactly who accessed a system, which files they touched, and when it happened—down to the second.

Don’t leave this power on paper. Spin it up, see the data stream in, and watch “who accessed what and when” become more than a question—it becomes a fact. Try it now on hoop.dev and see it live in minutes.