freeradius: add tls_max_version setting

net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml

@@ -58,4 +58,10 @@
         <type>dropdown</type>
         <help>Set minimum TLS version. Please be aware that every version below 1.2 is considered as insecure.</help>
     </field>
+    <field>
+        <id>eap.tls_max_version</id>
+        <label>TLS Maximum Version</label>
+        <type>dropdown</type>
+        <help>Set maximum TLS version. Use 1.2 to avoid TLS 1.3 for legacy clients.</help>
+    </field>
 </form>

net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml

@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/freeradius/eap</mount>
     <description>EAP configuration</description>
-    <version>1.9.17</version>
+    <version>1.9.18</version>
     <items>
         <default_eap_type type="OptionField">
             <Default>md5</Default>
@@ -65,5 +65,16 @@
                 <Option4 value="1.3">1.3</Option4>
             </OptionValues>
         </tls_min_version>
+        <tls_max_version type="OptionField">
+            <Default>1.3</Default>
+            <Required>Y</Required>
+            <Multiple>N</Multiple>
+            <OptionValues>
+                <Option1 value="1.0">1.0</Option1>
+                <Option2 value="1.1">1.1</Option2>
+                <Option3 value="1.2">1.2</Option3>
+                <Option4 value="1.3">1.3</Option4>
+            </OptionValues>
+        </tls_max_version>
     </items>
 </model>

net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap

@@ -456,7 +456,7 @@ eap {
                 #  The values must be in quotes.
                 #
                 tls_min_version = "{{ OPNsense.freeradius.eap.tls_min_version }}"
-                tls_max_version = "1.3"
+                tls_max_version = "{{ OPNsense.freeradius.eap.tls_max_version }}"
 
                 #  Elliptical cryptography configuration
                 #