eap {
  default_eap_type = tls
  tls-config tls-common {
{% if rad_tls_key_pass is defined %}
    private_key_password = {{ rad_tls_key_pass }}
{% endif %}
    private_key_file = /etc/radius/certs/key.pem
    certificate_file = /etc/radius/certs/cert.pem
{% if rad_tls_ca is defined %}
    ca_file = /etc/radius/certs/ca.pem
{% endif %}
    dh_file = /etc/radius/certs/dh.pem
    ca_path = /etc/radius/certs/
    ecdh_curve = "prime256v1"
{% if rad_tls_issuert is defined %}
    check_cert_issuer = "{{ rad_tls_issuer }}"
{% endif %}
    verify {
      tmpdir = /run/radiusd/tls
      client = "/usr/local/bin/rad_check_client_cert --cert %{TLS-Client-Cert-Filename}{% if rad_tls_crl is defined %} --crl {{ (rad_tls_crl is search ('https?://')) | ternary(rad_tls_crl,'/etc/radius/certs/crl.pem') }}{% endif %}{% if rad_tls_issuer is defined %} --issuer '{{ rad_tls_issuer }}'{% endif %}"
    }
  }

  tls {
    tls = tls-common
  }
}