diff --git a/conf/radiusd/eap.conf.example b/conf/radiusd/eap.conf.example
index 6cf1ade9094b..8b2cd6ee440b 100644
--- a/conf/radiusd/eap.conf.example
+++ b/conf/radiusd/eap.conf.example
@@ -268,11 +268,8 @@ eap [% key -%] {
         # in "man 1 ciphers".
         cipher_list = "[% eap.$key.tls.$tls.cipher_list %]"
 
-        # Work-arounds for OpenSSL nonsense
-        # OpenSSL 1.0.1f and 1.0.1g do not calculate
-        # the EAP keys correctly.  The fix is to upgrade
-        # OpenSSL, or disable TLS 1.2 here. 
-#       disable_tlsv1_2 = no
+        tls_min_version = "[% eap.$key.tls.$tls.tls_min_version %]"
+        tls_max_version = "[% eap.$key.tls.$tls.tls_max_version %]"
 
         #
 
diff --git a/conf/radiusd/tls.conf.defaults b/conf/radiusd/tls.conf.defaults
index 819d04ddf046..08140babffa5 100644
--- a/conf/radiusd/tls.conf.defaults
+++ b/conf/radiusd/tls.conf.defaults
@@ -4,7 +4,8 @@ dh_file = ${certdir}/dh
 ca_path = ${cadir}
 cipher_list = DEFAULT
 ecdh_curve = prime256v1
-disable_tlsv1_2 = yes
+tls_min_version = 1.2
+tls_max_version = 1.2
 ocsp=default
 
 [tls-eap-fast]
@@ -13,5 +14,6 @@ dh_file = ${certdir}/dh
 ca_path = ${cadir}
 cipher_list = ALL:!EXPORT:!eNULL:!SSLv2
 ecdh_curve = prime256v1
-disable_tlsv1_2 = yes
+tls_min_version = 1.2
+tls_max_version = 1.2
 ocsp=default
diff --git a/docs/PacketFence_Upgrade_Guide.asciidoc b/docs/PacketFence_Upgrade_Guide.asciidoc
index fe3f5d044b9d..057f6b2c1d15 100644
--- a/docs/PacketFence_Upgrade_Guide.asciidoc
+++ b/docs/PacketFence_Upgrade_Guide.asciidoc
@@ -1681,6 +1681,14 @@ The `pf-maint.pl` script used to get maintenance patches has been deprecated. Yo
 
 The WMI scan engines have been deprecated. If you previously used these scan engines, you should migrate to other scan engines.
 
+=== TLS 1.0 and 1.1 are disabled by default in FreeRADIUS
+
+TLS 1.0 and TLS 1.1 are now disabled by default. If you still have supplicants
+using theses protocols, you should move to TLS 1.2. If it's not possible, you
+can adjust `TLS Minimum version` in _Configuration -> System configuration ->
+RADIUS -> TLS profiles_.
+
+
 == Upgrading from a version prior to 11.1.0
 
 
diff --git a/html/pfappserver/lib/pfappserver/Form/Config/Radiusd/TLSProfile.pm b/html/pfappserver/lib/pfappserver/Form/Config/Radiusd/TLSProfile.pm
index 5cc4720fa273..3bd78fd3faea 100644
--- a/html/pfappserver/lib/pfappserver/Form/Config/Radiusd/TLSProfile.pm
+++ b/html/pfappserver/lib/pfappserver/Form/Config/Radiusd/TLSProfile.pm
@@ -15,6 +15,7 @@ use warnings;
 use HTML::FormHandler::Moose;
 use pf::ConfigStore::Radiusd::OCSPProfile;
 use pf::ConfigStore::SSLCertificate;
+use pf::radius::constants;
 extends 'pfappserver::Base::Form';
 with qw(pfappserver::Base::Form::Role::Help);
 ## Definition
@@ -59,6 +60,17 @@ has_field disable_tlsv1_2 => (
         default         => 'no',
 );
 
+has_field tls_min_version => (
+    type => 'Select',
+    options_method => \&options_tls_version,
+);
+
+has_field tls_max_version => (
+    type => 'Select',
+    options_method => \&options_tls_version,
+);
+
+
 sub options_certificate_profile {
     return  map { { value => $_, label => $_ } } @{pf::ConfigStore::SSLCertificate->new->readAllIds};
 }
@@ -67,6 +79,10 @@ sub options_ocsp {
     return  map { { value => $_, label => $_ } } @{pf::ConfigStore::Radiusd::OCSPProfile->new->readAllIds};
 }
 
+sub options_tls_version {
+    return map { { value => $_, label => $_ } } @{RADIUS::TLS_VERSIONS};
+}
+
 =head1 AUTHOR
 
 Inverse inc. <info@inverse.ca>
diff --git a/html/pfappserver/root/src/views/Configuration/radius/tls/_components/TheForm.vue b/html/pfappserver/root/src/views/Configuration/radius/tls/_components/TheForm.vue
index 6880a7287720..c5c851a3b6f1 100644
--- a/html/pfappserver/root/src/views/Configuration/radius/tls/_components/TheForm.vue
+++ b/html/pfappserver/root/src/views/Configuration/radius/tls/_components/TheForm.vue
@@ -30,8 +30,12 @@
       :column-label="$i18n.t('ECDH Curve')"
     />
 
-    <form-group-disable-tlsv12 namespace="disable_tlsv1_2"
-      :column-label="$i18n.t('Disable TLSv1.2')"
+    <form-group-tls-min-version namespace="tls_min_version"
+      :column-label="$i18n.t('TLS Minimum version')"
+    />
+
+    <form-group-tls-max-version namespace="tls_max_version"
+      :column-label="$i18n.t('TLS Maximum version')"
     />
 
     <form-group-ocsp namespace="ocsp"
@@ -52,7 +56,8 @@ import {
   FormGroupCaPath,
   FormGroupCipherList,
   FormGroupEcdhCurve,
-  FormGroupDisableTlsv12,
+  FormGroupTlsMinVersion,
+  FormGroupTlsMaxVersion,
   FormGroupOcsp
 } from './'
 
@@ -65,7 +70,8 @@ const components = {
   FormGroupCaPath,
   FormGroupCipherList,
   FormGroupEcdhCurve,
-  FormGroupDisableTlsv12,
+  FormGroupTlsMinVersion,
+  FormGroupTlsMaxVersion,
   FormGroupOcsp
 }
 
diff --git a/html/pfappserver/root/src/views/Configuration/radius/tls/_components/index.js b/html/pfappserver/root/src/views/Configuration/radius/tls/_components/index.js
index e8337670099b..dd0be82be3ee 100644
--- a/html/pfappserver/root/src/views/Configuration/radius/tls/_components/index.js
+++ b/html/pfappserver/root/src/views/Configuration/radius/tls/_components/index.js
@@ -20,7 +20,8 @@ export {
   BaseFormGroupInput              as FormGroupCaPath,
   BaseFormGroupInput              as FormGroupCipherList,
   BaseFormGroupInput              as FormGroupEcdhCurve,
-  BaseFormGroupToggleNoYesDefault as FormGroupDisableTlsv12,
+  BaseFormGroupChosenOne          as FormGroupTlsMinVersion,
+  BaseFormGroupChosenOne          as FormGroupTlsMaxVersion,
   BaseFormGroupChosenOne          as FormGroupOcsp,
 
   BaseViewCollectionItem          as BaseView,
diff --git a/lib/pf/radius/constants.pm b/lib/pf/radius/constants.pm
index 6f52763c6140..27d7805e9b1e 100644
--- a/lib/pf/radius/constants.pm
+++ b/lib/pf/radius/constants.pm
@@ -160,6 +160,13 @@ Readonly::Hash our %NAS_port_type => (
     36 => "PPPoEoQinQ",
 );
 
+=item TLS Versions
+
+Define all the TLS versions we can use
+
+=cut
+
+Readonly::Array our @TLS_VERSIONS => qw(1.0 1.1 1.2 1.3);
 
 package ACCOUNTING;