Freeradius 2.2.x authentication bypass CVE-2017-9148
The fix would seem to be never Enabling "EAP-TLS Cache"; disable it now if you've set it previously.
freeradius maintainers seem to be adopting a "won't fix" posture stating
Patches for those versions will not be released, as the issue can be corrected with a minor configuration change.
The pfSense package should probably reference the CVE now in the info section for this config section.
freeradius 2.x is deprecated; either putting a warning in the PFSense package or updating to 3 would be most appreciated.
According to these sites, FreeRADIUS 2.2.9 is not affected:
That said, 2.2.x is EOL and we're working on getting the package updated to FreeRADIUS 3.x.
I saw that FreeRadius 3.0.15 support was added to Available Packages.
Uninstalled freeradius2, installed freeradius3, and the configuration transfered over
I imagine this was quite an undertaking, thanks much!