Attribute Lists

An attribute list contains a set of attributes. The allowed lists are:

There must be a dot . after the list name, and before the attribute name. This syntax helps the server to distinguish between list names and attribute names.

With the exception of session-state, all of the above lists are ephemeral. That is, they exist for one packet exchange, and only one packet exchange. When a reply is sent for a request, the above lists and all attributes are deleted. There is no way to reference an attribute from a previous packet. We recommend using a database to track complex state.

In some cases, requests are associated a multi-packet exchange. For those situations, the session-state list is automatically saved when a reply is sent, and it is automatically restored when the next packet in sequence comes in. Once the packet exchange has been finished, the session-state list is deleted.

In some cases, there is a parent-child relationship between requests. In those situations, it is possible for the policy rules in the child to refer to attributes in the parent. This reference can be made by prefixing the <list> name with the parent qualifier. If there are multiple parent-child relationships, the parent qualifier can be repeated.

The outer key word refers to the outmost request which is usually the RADIUS request sent by the NAS. In an EAP session, outer is often the same as parent, since the outer EAP request is a parent of the inner (tunnelled) request. However, outer and parent are distinct and the key words outer and parent are not synonymous. The two lists will be different when one server uses subrequest to create nested requests.

There is, however, no way for the parent to refer to the child. When the child is running, the parent is suspended. Once the child finishes, it is deleted, and is no longer accessible to the parent.

parent.request.User-Name
parent.reply.Reply-Message
parent.parent.session-state.Filter-Id