diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile
index 849522105..ebdf96b0a 100644
--- a/net/freeradius/Makefile
+++ b/net/freeradius/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		freeradius
-PLUGIN_VERSION=		1.1.0
+PLUGIN_VERSION=		1.2.0
 PLUGIN_COMMENT=		RADIUS Authentication, Authorization and Accounting Server
 PLUGIN_DEPENDS=		freeradius3
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/EapController.php b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/EapController.php
new file mode 100644
index 000000000..7d7ffaab9
--- /dev/null
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/EapController.php
@@ -0,0 +1,76 @@
+<?php
+/**
+ *    Copyright (C) 2015 - 2017 Deciso B.V.
+ *    Copyright (C) 2017 Michael Muenz
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Freeradius\Api;
+
+use \OPNsense\Base\ApiControllerBase;
+use \OPNsense\Freeradius\Eap;
+use \OPNsense\Core\Config;
+
+class EapController extends ApiControllerBase
+{
+    public function getAction()
+    {
+        // define list of configurable settings
+        $result = array();
+        if ($this->request->isGet()) {
+            $mdlEAP = new EAP();
+            $result['eap'] = $mdlEAP->getNodes();
+        }
+        return $result;
+    }
+
+    public function setAction()
+    {
+        $result = array("result"=>"failed");
+        if ($this->request->isPost()) {
+            // load model and update with provided data
+            $mdlEAP = new EAP();
+            $mdlEAP->setNodes($this->request->getPost("eap"));
+
+            // perform validation
+            $valMsgs = $mdlEAP->performValidation();
+            foreach ($valMsgs as $field => $msg) {
+                if (!array_key_exists("validations", $result)) {
+                    $result["validations"] = array();
+                }
+                $result["validations"]["eap.".$msg->getField()] = $msg->getMessage();
+            }
+
+            // serialize model to config and save
+            if ($valMsgs->count() == 0) {
+                $mdlEAP->serializeToConfig();
+                Config::getInstance()->save();
+                $result["result"] = "saved";
+            }
+        }
+        return $result;
+    }
+}
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/EapController.php b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/EapController.php
new file mode 100644
index 000000000..3a5ca25a9
--- /dev/null
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/EapController.php
@@ -0,0 +1,38 @@
+<?php
+/*
+    Copyright (C) 2017 Michael Muenz
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\Freeradius;
+
+class EapController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->title = gettext("EAP Settings");
+        $this->view->eapForm = $this->getForm("eap");
+        $this->view->pick('OPNsense/Freeradius/eap');
+    }
+}
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
new file mode 100644
index 000000000..077d5316d
--- /dev/null
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
@@ -0,0 +1,32 @@
+<form>
+    <field>
+        <id>eap.default_eap_type</id>
+        <label>Default EAP Type</label>
+        <type>dropdown</type>
+        <help>Set the default EAP type.</help>
+    </field>
+    <field>
+        <id>eap.enable_client_cert</id>
+        <label>Enable Client Certficate Authentication</label>
+        <type>checkbox</type>
+        <help>This will activate certificate based authentication. Please choose CA and Certificate below and do not forget to roll out certificates to the clients.</help>
+    </field>
+    <field>
+        <id>eap.ca</id>
+        <label>Root Certificate</label>
+        <type>dropdown</type>
+        <help>Choose the Root CA.</help>
+    </field>
+    <field>
+        <id>eap.certificate</id>
+        <label>Server Certificate</label>
+        <type>dropdown</type>
+        <help>Choose the certificate the Radius service should use.</help>
+    </field>
+    <field>
+        <id>eap.crl</id>
+        <label>CRL</label>
+        <type>dropdown</type>
+        <help>This enables CRL checking, please restart this service with every change to the CRL.</help>
+    </field>
+</form>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.php b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.php
new file mode 100644
index 000000000..218714369
--- /dev/null
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.php
@@ -0,0 +1,34 @@
+<?php
+namespace OPNsense\Freeradius;
+
+use OPNsense\Base\BaseModel;
+
+/*
+    Copyright (C) 2017 Michael Muenz
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+class Eap extends BaseModel
+{
+}
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
new file mode 100644
index 000000000..632b309ba
--- /dev/null
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
@@ -0,0 +1,37 @@
+<model>
+    <mount>//OPNsense/freeradius/eap</mount>
+    <description>EAP configuration</description>
+    <version>1.0.0</version>
+    <items>
+        <default_eap_type type="OptionField">
+            <default>MD5</default>
+            <Required>Y</Required>
+            <multiple>N</multiple>
+            <OptionValues>
+                <md5>MD5</md5>
+                <mschapv2>MSCHAPv2</mschapv2>
+                <peap>PEAP</peap>
+                <ttls>TTLS</ttls>
+            </OptionValues>
+        </default_eap_type>
+        <enable_client_cert type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </enable_client_cert>
+        <ca type="CertificateField">
+            <default></default>
+            <Type>ca</Type>
+            <Required>N</Required>
+        </ca>
+        <certificate type="CertificateField">
+            <default></default>
+            <Type>cert</Type>
+            <Required>N</Required>
+        </certificate>
+        <crl type="CertificateField">
+            <default></default>
+            <Type>crl</Type>
+            <Required>N</Required>
+        </crl>
+    </items>
+</model>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Menu/Menu.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Menu/Menu.xml
index a1222c17c..6d976707f 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Menu/Menu.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Menu/Menu.xml
@@ -4,6 +4,7 @@
       <General url="/ui/freeradius/general/index" order="10"/>
       <User url="/ui/freeradius/user/index" order="20"/>
       <Client url="/ui/freeradius/client/index" order="30"/>
+      <EAP url="/ui/freeradius/eap/index" order="40"/>
     </FreeRADIUS>
   </Services>
 </menu>
diff --git a/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/eap.volt b/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/eap.volt
new file mode 100644
index 000000000..25d184715
--- /dev/null
+++ b/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/eap.volt
@@ -0,0 +1,62 @@
+{#
+
+OPNsense® is Copyright © 2014 – 2017 by Deciso B.V.
+This file is Copyright © 2017 by Michael Muenz
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+1.  Redistributions of source code must retain the above copyright notice,
+    this list of conditions and the following disclaimer.
+
+2.  Redistributions in binary form must reproduce the above copyright notice,
+    this list of conditions and the following disclaimer in the documentation
+    and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+#}
+
+<div class="content-box" style="padding-bottom: 1.5em;">
+    {{ partial("layout_partials/base_form",['fields':eapForm,'id':'frm_eap_settings'])}}
+    <hr />
+    <div class="col-md-12">
+        <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_progress" class=""></i></button>
+    </div>
+</div>
+
+<script type="text/javascript">
+    $( document ).ready(function () {
+        var data_get_map = {'frm_eap_settings':"/api/freeradius/eap/get"};
+        mapDataToFormUI(data_get_map).done(function (data) {
+            formatTokenizersUI();
+            $('.selectpicker').selectpicker('refresh');
+        });
+        ajaxCall(url="/api/freeradius/service/status", sendData={}, callback=function (data, status) {
+            updateServiceStatusUI(data['status']);
+        });
+
+        // link save button to API set action
+        $("#saveAct").click(function () {
+            saveFormToEndpoint(url="/api/freeradius/eap/set", formid='frm_eap_settings',callback_ok=function () {
+            $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
+                ajaxCall(url="/api/freeradius/service/reconfigure", sendData={}, callback=function (data,status) {
+                    ajaxCall(url="/api/freeradius/service/status", sendData={}, callback=function (data,status) {
+                        updateServiceStatusUI(data['status']);
+                    });
+                    $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
+                });
+            });
+        });
+    });
+</script>
diff --git a/net/freeradius/src/opnsense/scripts/Freeradius/generate_certs.php b/net/freeradius/src/opnsense/scripts/Freeradius/generate_certs.php
new file mode 100755
index 000000000..acf712671
--- /dev/null
+++ b/net/freeradius/src/opnsense/scripts/Freeradius/generate_certs.php
@@ -0,0 +1,102 @@
+#!/usr/local/bin/php
+<?php
+
+/*
+ *    Copyright (C) 2015 Deciso B.V.
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ */
+
+// use legacy code to generate certs and ca's
+// eventually we need to replace this.
+require_once("config.inc");
+require_once("certs.inc");
+require_once("legacy_bindings.inc");
+
+use OPNsense\Core\Config;
+
+$cert_pem_filename = '/usr/local/etc/raddb/certs/cert_opn.pem';
+$cert_pem_content = '';
+
+$ca_pem_filename = '/usr/local/etc/raddb/certs/ca_opn.pem';
+$ca_pem_content = '';
+
+// traverse Freeradius plugin for certficiates
+$configObj = Config::getInstance()->object();
+if (isset($configObj->OPNsense->freeradius)) {
+    foreach ($configObj->OPNsense->freeradius->children() as $find_cert) {
+        $cert_refid = (string)$find_cert->certificate;
+        // if eap has a certificate attached, search for its contents
+        if ($cert_refid != "") {
+            foreach ($configObj->cert as $cert) {
+                if ($cert_refid == (string)$cert->refid) {
+                    // generate cert pem file
+                    $pem_content = trim(str_replace("\n\n", "\n", str_replace(
+                        "\r",
+                        "",
+                        base64_decode((string)$cert->crt)
+                    )));
+
+                    $pem_content .= "\n";
+                    $pem_content .= trim(str_replace(
+                        "\n\n",
+                        "\n",
+                        str_replace("\r", "", base64_decode((string)$cert->prv))
+                    ));
+                    $pem_content .= "\n";
+                    $cert_pem_content .= $pem_content;
+                    // generate ca pem file
+                    if (!empty($cert->caref)) {
+                        $cert = (array)$cert;
+                        $ca_pem_content .= ca_chain($cert);
+                    }
+                }
+            }
+        }
+
+        $cert_refid = (string)$find_cert->crl;
+        // if eap has a certificate attached, search for its contents
+        if ($cert_refid != "") {
+            foreach ($configObj->crl as $crl) {
+                if ($cert_refid == (string)$crl->refid && !empty((string)$crl->text)) {
+                    // generate cert pem file
+                    $pem_content = trim(str_replace("\n\n", "\n", str_replace(
+                        "\r",
+                        "",
+                        base64_decode((string)$crl->text)
+                    )));
+                    $pem_content .= "\n";
+                    $ca_pem_content .= $pem_content;
+                }
+            }
+        }
+    }
+}
+
+file_put_contents($cert_pem_filename, $cert_pem_content);
+chmod($cert_pem_filename, 0600);
+echo "Certificates generated $cert_pem_filename\n";
+
+file_put_contents($ca_pem_filename, $ca_pem_content);
+chmod($ca_pem_filename, 0600);
+echo "Certificates generated $ca_pem_filename\n";
diff --git a/net/freeradius/src/opnsense/scripts/Freeradius/setup.sh b/net/freeradius/src/opnsense/scripts/Freeradius/setup.sh
index 5ed191e6a..21e9fa96f 100755
--- a/net/freeradius/src/opnsense/scripts/Freeradius/setup.sh
+++ b/net/freeradius/src/opnsense/scripts/Freeradius/setup.sh
@@ -15,3 +15,5 @@ for FILE in ${RADIUS_FILES}; do
 	touch ${FILE}
 	chmod 700 ${FILE}
 done
+
+/usr/local/opnsense/scripts/Freeradius/generate_certs.php
diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
index 329b09739..dc32f5180 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
@@ -26,7 +26,9 @@ eap {
         #  then that EAP type takes precedence over the
         #  default type configured here.
         #
-        default_eap_type = md5
+{% if helpers.exists('OPNsense.freeradius.eap.default_eap_type') and OPNsense.freeradius.eap.default_eap_type != '' %}
+        default_eap_type = {{ OPNsense.freeradius.eap.default_eap_type }}
+{% endif %}
 
         #  A list is maintained to correlate EAP-Response
         #  packets with EAP-Request packets.  After a
@@ -172,9 +174,14 @@ eap {
         #  ANYONE who has a certificate signed by them can
         #  authenticate via EAP-TLS!  This is likely not what you want.
         tls-config tls-common {
+{% if helpers.exists('OPNsense.freeradius.eap.enable_client_cert') and OPNsense.freeradius.eap.enable_client_cert == '1' %}
+{%   if helpers.exists('OPNsense.freeradius.eap.certificate') and OPNsense.freeradius.eap.certificate != '' %}
+                private_key_password =
+                private_key_file = ${certdir}/cert_opn.pem
+                certificate_file = ${certdir}/cert_opn.pem
+{%   else %}
                 private_key_password = whatever
                 private_key_file = ${certdir}/server.pem
-
                 #  If Private key & Certificate are located in
                 #  the same file, then private_key_file &
                 #  certificate_file must contain the same file
@@ -186,7 +193,7 @@ eap {
                 #  of the CA certificates used to sign the
                 #  server certificate.
                 certificate_file = ${certdir}/server.pem
-
+{%   endif %}
                 #  Trusted Root CA list
                 #
                 #  ALL of the CA's in this list will be trusted
@@ -197,8 +204,11 @@ eap {
                 #  In that case, this CA file should contain
                 #  *one* CA certificate.
                 #
+{%   if helpers.exists('OPNsense.freeradius.eap.ca') and OPNsense.freeradius.eap.ca != '' %}
+                ca_file = ${certdir}/ca_opn.pem
+{%   else %}
                 ca_file = ${cadir}/ca.pem
-
+{%   endif %}
                 #  OpenSSL will automatically create certificate chains,
                 #  unless we tell it to not do that.  The problem is that
                 #  it sometimes gets the chains right from a certificate
@@ -280,8 +290,11 @@ eap {
                 #    'c_rehash' is OpenSSL's command.
                 #  3) uncomment the lines below.
                 #  5) Restart radiusd
+{%   if helpers.exists('OPNsense.freeradius.eap.crl') and OPNsense.freeradius.eap.crl != '' %}
+                check_crl = yes
+{%   else %}
         #       check_crl = yes
-
+{%   endif %}
                 # Check if intermediate CAs have been revoked.
         #       check_all_crl = yes
 
@@ -557,7 +570,7 @@ eap {
                         # softfail = no
                 }
         }
-
+{% endif %}
         ## EAP-TLS
         #
         #  As of Version 3.0, the TLS configuration for TLS-based