Configuration changes

• Better handle backslashes in strings in the configuration files. If the configuration items contain backslashes, then behavior may change. However, the previous behavior didn't work as expected, and therefore is not likely to be used.
• reject_delay no longer applies to proxied packets. All servers should now set reject_delay = 1 for security and scalability.
• %{randstr:...} now returns the requested amount of data, instead of one too many bytes.

Feature improvements

• Preliminary support for TEAP.
• Update EAP module pre_proxy checks to make them less restrictive. This prevents the "middle box" effect from affecting future traffic.
• Many fixes and updates for Docker images
• Add dpsk module. See mods-available/dpsk
• Print out what cause the TLS operations to be made, such as the EAP method name (peap, ttls, etc), or RADIUS/TLS listen / proxy socket.
• Add auto_escape to sample SQL module config
• Add 'if not exists' to mysql create table queries. ref #5032 (#5137)
• Update dictionary.aruba; add dictionary.tplink, dictionary.alphion
• Allow for encrypt=1 attributes to be longer than 128 characters.
• Added radsecret program which generates strong secrets. See the top of the clients.conf file for more information.
• radclient now prints packets as hex when using -xxx.
• Added -t timeout to radsniff. It will stop processing packets after seconds.
• Support interface = ... on OSX and other *BSD which have IP_BOUND_IF.
• The detail module now has a dates_as_integer configuration item. See mods-available/detail for more information.
• Add lookback/lookforward steps and more configuration to totp. See mods-available/totp.
• Add time_since xlat to calculate elapsed time in seconds, milliseconds and microseconds.
• Support "Post-Auth-Type Challenge" in the inner tunnel. Patch from Alexander Clouter. PR #5320.
• Add "proxy_dedup_window". See radiusd.conf.
• Document KRB5_CLIENT_KTNAME in the "env" section of radiusd.conf.
• Add dedup_key for misbehaving supplicants. See mods-available/eap

Bug fixes

• Fix corner case with empty defaults in rlm_files. Fixes #5035
• When we have multiple attributes of the same name, always use the canonical attribute
• Make FreeRADIUS-Server-EMA* attributes work again for home server exponential moving average statistics.
• Don't send the global server stats when asked for client stats. They use the same attributes, so the result is confusing.
• Fix multiple typos in MongoDB query.conf (#5130)
• Add define for illumos. Fixes #5135
• Add client configuration for TLS PSK.
• Permit originate CoA after proxying to an internal virtual server
• Use virtual server default when passed -i and -p on the command line.
• Fix locking issues with rlm_python3.
• The detail file reader will catch bad times in the file, and will not update Acct-Delay-Time with extreme values.
• Fix issue where Message-Authenticator was calculated incorrectly for CoA / Disconnect ACK and NAK packets.
• Update Python thread and error handling. Fixes #5208.
• Fix handling of Session-State when proxying. Fixes #5288.
• Run relevant post-proxy Fail-* section on CoA / Disconnect timeout.
• Add limit section to AWS health check configurtion. Fixes 35300.
• Use MAX in sqlite queries instead of GREATEST.
• Fix typo in Mongo queries. Fixes #5301.
• Fix occasional crash with bad home servers. Fixes #5308.
• Minor bug fixes to the SQL freetds modules.
• Fix blocking issue with RADIUS/TLS connection checks.
• Fix run-time crash on configuration typos of %{substr ...} instead of %{substr:...} Fixes #5321.
• Fix crash with TLS Status-Server requests. Fixes #5326.