Feature improvements

• Allow syslog_severity to be set in rlm_linelog.
• Allow defaults to be set for bulk clients in LDAP and couchbase.
• Updates to dhcpclient. Patches from Nicolas C.
• rlm_mschap now supports direct connections to winbind, which is faster than ntlm_auth. See raddb/mods-available/mschap. Patch from Matthew Newton.
• Recommend /dev/urandom for TLS randomness, instead of ${certdir}/random
• Allow TLSv1 to be disabled via "disable_tlsv1" in tls{}.
• Allow Expanded EAP types where vendor is 0 (IETF) and type is normal EAP type. Supplicants sending Expanded EAP types like this are broken.
• Add support for server side sort controls when searching for user objects in rlm_ldap.

Bug fixes

• Don't complain about "authorize" in "server {}" blocks, but only if there's no "server" block.
• Fix cosmetic issue where debug from the first packet read by a detail reader thread would be emited during config parsing.
• Fix ASSERT on truncated detail packets.
• Don't use main server log functions from within panic_action, as in the case of syslog this would cause deadlocks if the fault was triggered from within a malloc.
• Fix issue in "switch" when "correct_escapes = false". Fixes #911.
• Fix sqlcounter configuration to use "%%b" instead of "%b", otherwise the new syntax validation will fail.
• Allow forward references in configuration items. Modules aren't always loaded in a sane order.
• Fix more escaping issues. Closes #912.
• Decode MAC addresses correctly for VMPS.
• Fix memory leak with TLS connections.
• Fix state machine threading issues for conflicting packets.
• Fix copy_request_to_tunnel issues for tagged attributes.
• Allow "ok" to over-ride "updated" inside of Auth-Type sections.
• Update state machine so that post-proxy is run though child threads for performance, instead of blocking the main thread.
• Allow "netmask" to work again in client definitions.
• Relax restrictions on SQL group queries.
• track outgoing proxy sockets and clean them up more aggressively.
• track proxy statistics, including CoA and Disconnect.
• If radmin has a connection failure when running a command, it re-connects and runs the command again.
• mark home servers "unknown" less aggressively.
• Fix potential SEGV in PostgreSQL driver on error.
• Fix issue where fields like nas_type would not be accessible via the %{client:} xlat, for dynamic clients.
• Set default busy_timeout (of 200ms) in the sqlite driver, so writes don't cause selects to fail in multithreaded mode. This is user configurable, and may be increased if required.
• Convert Password-With-Header attributes to binary (from hex or base64), in the authorize method of rlm_pap.
• Fix invalid assert in state.c, that could cause abort in post-auth.
• Fix double free when -m flag is used, and connection pools are referenced by multiple modules.
• RADIUS over TLS accounting uses the same port as authentication.
• Regularized return codes from radmin commands.
• Fix RHEL spec file so it works correctly for Centos7 which uses systemd, and didn't like the SystemV init script.
• radwho and radlast now have a -D option to load dictionaries
• DHCP packets are no longer checked for duplicates.
• Don't crash in sql module group comparisons in corner case.
• Calculate MPPE keys correctly when using TLS 1.2.
• Fix load-balance sections. Closes #945
• TLS certificates are available again in the post-auth section. They are not available for session resumption.
• radclient encodes CHAP-Password properly when using -c. Closes #955.
• Fix issue in rlm_cache_memcached driver that caused variable length values to be truncated.
• Fix track functionality in detail reader, so it no longer fails with a "Failed marking detail request as done: Bad file descriptor" error.
• Actually add the peer identity (as User-Name) to the inner tunnel in EAP-PWD requests, so it's available for lookups.
• Fixes to PostgreSQL queries. Patches from Santiago Gimeno.