A device associated with the authentication of a user on a network, i.e., an "authentication device," initiates lawful interception of network traffic associated with the user. The authentication device communicates with a network service device, such as an edge router, providing network access or other services to the user to enable and disable monitoring of the network user. The authentication device may issue intercept requests to the network service device upon authenticating the network user during login or at any time while the network user's session is in progress. Upon receiving an intercept request from the authentication device, the network service device mirrors data packets flowing to and from the network user for which interception has been designated. The mirrored packets are sent to an analyzer, which analyzes the packets and provides packet analysis information to a law enforcement agency.