eap {
  default_eap_type = tls
  timer_expire = 60
  ignore_unknown_eap_types = yes
  cisco_accounting_username_bug = no
  max_sessions = \${max_requests}

  tls-config tls-common {
    private_key_password =
    private_key_file = ${freeradius_tls_key}
    certificate_file = ${freeradius_tls_cert}
    ca_file = ${site_cacert_path}
    ca_path = \${cadir}
    auto_chain = no
    check_crl = no
    cipher_list = "DEFAULT"
    cipher_server_preference = no
    tls_min_version = "1.2"
    tls_max_version = "1.3"
    ecdh_curve = ""

    cache {
      enable = yes
      lifetime = 24 # hours
      name = "EAP module"
      persist_dir = "${freeradius_tlscache_dir}"
      store {
        Tunnel-Private-Group-Id
      }
    }

    verify { }

    ocsp {
      enable = no
    }
  }

  tls {
    tls = tls-common
  }
}