diff --git a/.gitignore b/.gitignore
index bde8c6d..92b7672 100644
--- a/.gitignore
+++ b/.gitignore
@@ -16,3 +16,4 @@
 /freeradius-server-3.0.9.tar.bz2
 /freeradius-server-3.0.10.tar.bz2
 /freeradius-server-3.0.11.tar.bz2
+/freeradius-server-3.0.12.tar.bz2
diff --git a/freeradius-Use-system-crypto-policy-by-default.patch b/freeradius-Use-system-crypto-policy-by-default.patch
index c2c6d4f..e520081 100644
--- a/freeradius-Use-system-crypto-policy-by-default.patch
+++ b/freeradius-Use-system-crypto-policy-by-default.patch
@@ -1,4 +1,4 @@
-From 7811b36eba8d10f6f9425d120e6999211b3addde Mon Sep 17 00:00:00 2001
+From f6ca45b1bab63cbb75d81de3c17b8e7c43983acc Mon Sep 17 00:00:00 2001
 From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
 Date: Mon, 26 Sep 2016 19:48:36 +0300
 Subject: [PATCH] Use system crypto policy by default
@@ -11,20 +11,20 @@ Subject: [PATCH] Use system crypto policy by default
  4 files changed, 5 insertions(+), 5 deletions(-)
 
 diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
-index 8f38c47..432389a 100644
+index 5c99b09d4..83b5f95c7 100644
 --- a/raddb/mods-available/eap
 +++ b/raddb/mods-available/eap
-@@ -320,7 +320,7 @@ eap {
- 		# Set this option to specify the allowed
- 		# TLS cipher suites.  The format is listed
- 		# in "man 1 ciphers".
+@@ -323,7 +323,7 @@ eap {
+ 		#
+ 		# For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2"
+ 		#
 -		cipher_list = "DEFAULT"
 +		cipher_list = "PROFILE=SYSTEM"
  
  		# Work-arounds for OpenSSL nonsense
  		# OpenSSL 1.0.1f and 1.0.1g do not calculate
 diff --git a/raddb/mods-available/inner-eap b/raddb/mods-available/inner-eap
-index 2b4df62..af9aa88 100644
+index 2b4df6267..af9aa88cd 100644
 --- a/raddb/mods-available/inner-eap
 +++ b/raddb/mods-available/inner-eap
 @@ -68,7 +68,7 @@ eap inner-eap {
@@ -37,7 +37,7 @@ index 2b4df62..af9aa88 100644
  		#  You may want to set a very small fragment size.
  		#  The TLS data here needs to go inside of the
 diff --git a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls
-index 79d74e6..d04d6be 100644
+index 79d74e6fc..d04d6be89 100644
 --- a/raddb/sites-available/abfab-tls
 +++ b/raddb/sites-available/abfab-tls
 @@ -19,7 +19,7 @@ listen {
@@ -50,7 +50,7 @@ index 79d74e6..d04d6be 100644
  		cache {
  			enable = no
 diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
-index eb60fa5..9b340d2 100644
+index eb60fa57b..9b340d2af 100644
 --- a/raddb/sites-available/tls
 +++ b/raddb/sites-available/tls
 @@ -197,7 +197,7 @@ listen {
@@ -72,5 +72,5 @@ index eb60fa5..9b340d2 100644
  
  }
 -- 
-2.9.3
+2.11.0
 
diff --git a/freeradius-redhat-config.patch b/freeradius-redhat-config.patch
index 8255f46..4b01df8 100644
--- a/freeradius-redhat-config.patch
+++ b/freeradius-redhat-config.patch
@@ -1,4 +1,4 @@
-From edcb433824bea5f7f7832b3ce0a2d59228e7e513 Mon Sep 17 00:00:00 2001
+From 1d732eca0c45ea670202f7cb643dc533d831b422 Mon Sep 17 00:00:00 2001
 From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
 Date: Mon, 8 Sep 2014 12:32:13 +0300
 Subject: [PATCH] Adjust configuration to fit Red Hat specifics
@@ -9,10 +9,10 @@ Subject: [PATCH] Adjust configuration to fit Red Hat specifics
  2 files changed, 5 insertions(+), 6 deletions(-)
 
 diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
-index 1b69550..8f38c47 100644
+index 0e8d5caef..5c99b09d4 100644
 --- a/raddb/mods-available/eap
 +++ b/raddb/mods-available/eap
-@@ -453,7 +453,7 @@ eap {
+@@ -462,7 +462,7 @@ eap {
  			#
  			#  You should also delete all of the files
  			#  in the directory when the server starts.
@@ -21,7 +21,7 @@ index 1b69550..8f38c47 100644
  
  			#  The command used to verify the client cert.
  			#  We recommend using the OpenSSL command-line
-@@ -467,7 +467,7 @@ eap {
+@@ -476,7 +476,7 @@ eap {
  			#  in PEM format.  This file is automatically
  			#  deleted by the server when the command
  			#  returns.
@@ -31,7 +31,7 @@ index 1b69550..8f38c47 100644
  
  		#
 diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
-index c62f4ff..625f434 100644
+index c62f4ffed..625f43447 100644
 --- a/raddb/radiusd.conf.in
 +++ b/raddb/radiusd.conf.in
 @@ -70,8 +70,7 @@ certdir = ${confdir}/certs
@@ -56,5 +56,5 @@ index c62f4ff..625f434 100644
  	#  Core dumps are a bad thing.  This should only be set to
  	#  'yes' if you're debugging a problem with the server.
 -- 
-2.8.0.rc3
+2.11.0
 
diff --git a/freeradius.spec b/freeradius.spec
index 5a1df01..2e4fea7 100644
--- a/freeradius.spec
+++ b/freeradius.spec
@@ -1,7 +1,7 @@
 Summary: High-performance and highly configurable free RADIUS server
 Name: freeradius
-Version: 3.0.11
-Release: 7%{?dist}
+Version: 3.0.12
+Release: 1%{?dist}
 License: GPLv2+ and LGPLv2+
 Group: System Environment/Daemons
 URL: http://www.freeradius.org/
@@ -270,6 +270,7 @@ rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-config/unbound/default.conf
 rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/couchbase
 rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/mods-available/abfab*
 rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/policy.d/abfab*
+rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/policy.d/moonshot-targeted-ids
 rm $RPM_BUILD_ROOT/%{_sysconfdir}/raddb/sites-available/abfab*
 
 rm $RPM_BUILD_ROOT/%{_libdir}/freeradius/rlm_test.so
@@ -497,6 +498,7 @@ exit 0
 %config(missingok) /etc/raddb/mods-enabled/attr_filter
 %config(missingok) /etc/raddb/mods-enabled/cache_eap
 %config(missingok) /etc/raddb/mods-enabled/chap
+%config(missingok) /etc/raddb/mods-enabled/date
 %config(missingok) /etc/raddb/mods-enabled/detail
 %config(missingok) /etc/raddb/mods-enabled/detail.log
 %config(missingok) /etc/raddb/mods-enabled/dhcp
@@ -574,6 +576,7 @@ exit 0
 %{_libdir}/freeradius/rlm_digest.so
 %{_libdir}/freeradius/rlm_dynamic_clients.so
 %{_libdir}/freeradius/rlm_eap.so
+%{_libdir}/freeradius/rlm_eap_fast.so
 %{_libdir}/freeradius/rlm_eap_gtc.so
 %{_libdir}/freeradius/rlm_eap_leap.so
 %{_libdir}/freeradius/rlm_eap_md5.so
@@ -658,7 +661,9 @@ exit 0
 %doc %{_mandir}/man1/radtest.1.gz
 %doc %{_mandir}/man1/radwho.1.gz
 %doc %{_mandir}/man1/radzap.1.gz
+%doc %{_mandir}/man1/rad_counter.1.gz
 %doc %{_mandir}/man1/smbencrypt.1.gz
+%doc %{_mandir}/man1/dhcpclient.1.gz
 %doc %{_mandir}/man5/checkrad.5.gz
 %doc %{_mandir}/man8/radcrypt.8.gz
 %doc %{_mandir}/man8/radsniff.8.gz
@@ -786,6 +791,10 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
 
 %changelog
+* Fri Feb 17 2017 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.12-1
+- Upgrade to upstream v3.0.12 release.
+  See upstream ChangeLog for details (in freeradius-doc subpackage).
+
 * Fri Feb 17 2017 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.11-7
 - Make sure FreeRADIUS starts after IPA, directory, and Kerberos servers
 - Don't rotate radutmp, as it's not a log file
diff --git a/sources b/sources
index 50c74b9..dc5a87e 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-e8a748fe824223ed488cc74a1645023e  freeradius-server-3.0.11.tar.bz2
+SHA512 (freeradius-server-3.0.12.tar.bz2) = a79797b7d783083a926960c53e928c4fc06a77b77ec12d1ed80f2dbeec5add5ae4162be439ec3258fc9b7d85a1c709e586dcb5e0238065a3aff0a1f93de88b2f