From a7bd2bfc795d2f11b5a3019ebec2fec3dd7728b7 Mon Sep 17 00:00:00 2001
From: Kota Shiratsuka <kota@unchained.co.jp>
Date: Fri, 30 Jan 2026 13:19:38 +0900
Subject: [PATCH] freeradius: add tls_max_version setting

---
 .../controllers/OPNsense/Freeradius/forms/eap.xml   |  6 ++++++
 .../mvc/app/models/OPNsense/Freeradius/Eap.xml      | 13 ++++++++++++-
 .../templates/OPNsense/Freeradius/mods-enabled-eap  |  2 +-
 3 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
index 1f9cc42dc..dea314515 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
@@ -58,4 +58,10 @@
         <type>dropdown</type>
         <help>Set minimum TLS version. Please be aware that every version below 1.2 is considered as insecure.</help>
     </field>
+    <field>
+        <id>eap.tls_max_version</id>
+        <label>TLS Maximum Version</label>
+        <type>dropdown</type>
+        <help>Set maximum TLS version. Use 1.2 to avoid TLS 1.3 for legacy clients.</help>
+    </field>
 </form>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
index fba239000..7cda2110c 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/freeradius/eap</mount>
     <description>EAP configuration</description>
-    <version>1.9.17</version>
+    <version>1.9.18</version>
     <items>
         <default_eap_type type="OptionField">
             <Default>md5</Default>
@@ -65,5 +65,16 @@
                 <Option4 value="1.3">1.3</Option4>
             </OptionValues>
         </tls_min_version>
+        <tls_max_version type="OptionField">
+            <Default>1.3</Default>
+            <Required>Y</Required>
+            <Multiple>N</Multiple>
+            <OptionValues>
+                <Option1 value="1.0">1.0</Option1>
+                <Option2 value="1.1">1.1</Option2>
+                <Option3 value="1.2">1.2</Option3>
+                <Option4 value="1.3">1.3</Option4>
+            </OptionValues>
+        </tls_max_version>
     </items>
 </model>
diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
index 652bebc8e..e43e15708 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
@@ -456,7 +456,7 @@ eap {
                 #  The values must be in quotes.
                 #
                 tls_min_version = "{{ OPNsense.freeradius.eap.tls_min_version }}"
-                tls_max_version = "1.3"
+                tls_max_version = "{{ OPNsense.freeradius.eap.tls_max_version }}"
 
                 #  Elliptical cryptography configuration
                 #