diff --git a/filter_plugins/enquote.py b/filter_plugins/enquote.py
new file mode 100644
index 0000000..fb90672
--- /dev/null
+++ b/filter_plugins/enquote.py
@@ -0,0 +1,10 @@
+class FilterModule:
+    def filters(self):
+        return {
+            "enquote": enquote,
+        }
+
+
+def enquote(text, quote='"'):
+    escaped = text.replace(quote, f"\\{quote}")
+    return f"{quote}{escaped}{quote}"
diff --git a/roles/freeradius/defaults/main.yml b/roles/freeradius/defaults/main.yml
index fd21d56..6a037be 100644
--- a/roles/freeradius/defaults/main.yml
+++ b/roles/freeradius/defaults/main.yml
@@ -8,7 +8,6 @@ radiusd__enabled_modules_minimal:
   - cache_eap # TODO
   - detail # TODO
   - detail.log # TODO
-  - digest # TODO
   - dynamic_clients # TODO
   - eap # TODO
   - expiration # TODO
@@ -17,12 +16,13 @@ radiusd__enabled_modules_minimal:
   - linelog # TODO
   - logintime # TODO
   - mschap # TODO
-  - passwd # TODO
   - preprocess # TODO
-  - radutmp # TODO
   - realm # TODO
-  - sradutmp # TODO
   - unpack # TODO
   - utf8
 radiusd__enabled_modules: []
+radiusd__tls_cipher_list: DEFAULT
+radiusd__tls_certificate_file: /etc/ssl/certs/ssl-cert-snakeoil.pem
+radiusd__tls_private_key_file: /etc/ssl/private/ssl-cert-snakeoil.key
+radiusd__tls_ca_file: /etc/ssl/certs/ca-certificates.crt
 ...
diff --git a/roles/freeradius/tasks/main.yml b/roles/freeradius/tasks/main.yml
index 2bce692..f2327a7 100644
--- a/roles/freeradius/tasks/main.yml
+++ b/roles/freeradius/tasks/main.yml
@@ -67,6 +67,7 @@
     - dictionary
     - mods-available/utf8
     - mods-available/always
+    - mods-available/eap
   notify:
     - Restart freeradius
 
diff --git a/roles/freeradius/templates/mods-available/eap.j2 b/roles/freeradius/templates/mods-available/eap.j2
new file mode 100644
index 0000000..2025591
--- /dev/null
+++ b/roles/freeradius/templates/mods-available/eap.j2
@@ -0,0 +1,47 @@
+{{ ansible_managed | comment }}
+
+eap {
+
+    default_eap_type = peap
+    timer_expire = 60
+    ignore_unknown_eap_types = no
+    cisco_accounting_username_bug = no
+    max_sessions = ${max_requests}
+
+    tls-config tls-common {
+        private_key_file = {{ radiusd__tls_private_key_file }}
+        certificate_file = {{ radiusd__tls_certificate_file }}
+        ca_file = {{ radiusd__tls_ca_file }}
+        dh_file = ${certdir}/dh
+        cipher_list = {{ radiusd__tls_cipher_list | enquote }}
+        cipher_server_preferences = yes
+        tls_min_version = "1.2"
+        tls_max_version = "1.2" # TODO: 1.3
+        # TODO
+        # cache {
+        #    enable = yes
+        #    lifetime = 24
+        #    name = "eap"
+        #    persistdir = "${logdir}/tlscache"
+        #    store {
+        #        Tunnel-Private-Group-Id
+        #    }
+        # }
+    }
+
+    peap {
+        tls = tls-common
+        default_eap_type = gtc
+        copy_request_to_tunnel = no
+        use_tunneled_reply = no
+        virtual_server = inner-tunnel
+    }
+
+    gtc {
+        auth_type = local
+    }
+
+    mschapv2 {
+    }
+
+}