Phil,

I agree with you to the extent that simply modifying the default configuration file to define a cipher_list would be a rather poor idea as it would stick around as best practices change.

I think the right approach is to change the behaviour of FreeRADIUS so that it sets a sane cipher suites configuration where cipher_list isn't defined in eap.conf.

As new releases of FreeRADIUS come out, this can be easily changed as becomes necessary as best practices change.

Nick