diff --git a/manifests/module/eap.pp b/manifests/module/eap.pp
index 86f514d6f431a280ad563cd54f110e4c06d1ae84..b1343a88d22c1817113d2b925afee7ae6384ebbf 100644
--- a/manifests/module/eap.pp
+++ b/manifests/module/eap.pp
@@ -36,6 +36,8 @@ define freeradius::module::eap (
   Optional[String] $tls_check_cert_cn                               = undef,
   String $tls_cipher_list                                           = 'DEFAULT',
   Optional[Freeradius::Boolean] $tls_disable_tlsv1_2                = undef,
+  Optional[String] $tls_min_version                                 = undef,
+  Optional[String] $tls_max_version                                 = undef,
   String $tls_ecdh_curve                                            = 'prime256v1',
   Freeradius::Boolean $tls_cache_enable                             = 'yes',
   Integer $tls_cache_lifetime                                       = 24,
diff --git a/templates/eap.erb b/templates/eap.erb
index 4aedc9bf47fd2d7d8dba2613af217cd2ced24ca8..6e909c8bacea86fb880f5f03a99f370c8f131226 100644
--- a/templates/eap.erb
+++ b/templates/eap.erb
@@ -381,7 +381,27 @@ eap {
     disable_tlsv1_2 = <%= @tls_disable_tlsv1_2 %>
 <%- end -%>
 
+<%- if @tls_min_version or @tls_max_version -%>
+    #  Set min / max TLS version.  Mainly for Debian
+    #  "trusty", which disables older versions of TLS, and
+    #  requires the application to manually enable them.
     #
+    #  If you are running Debian trusty, you should set
+    #  these options, otherwise older clients will not be
+    #  able to connect.
+    #
+    #  Allowed values are "1.0", "1.1", and "1.2".
+    #
+    #  The values must be in quotes.
+    #
+<%- end -%>
+
+<%- if @tls_min_version -%>
+    tls_min_version = "<%= @tls_min_version -%>"
+<%- end -%>
+<%- if @tls_max_version -%>
+    tls_max_version = "<%= @tls_max_version -%>"
+<%- end -%>
 
     #
     #  Elliptical cryptography configuration