Because we move eap into a subpackage.
--- a/raddb/all.mk
+++ b/raddb/all.mk
@@ -8,7 +8,7 @@
 LOCAL_SITES :=		$(addprefix raddb/sites-enabled/,$(DEFAULT_SITES))
 
 DEFAULT_MODULES :=	always attr_filter cache_eap chap date \
-			detail detail.log digest dynamic_clients eap \
+			detail detail.log digest dynamic_clients \
 			echo exec expiration expr files linelog logintime \
 			mschap ntlm_auth pap passwd preprocess radutmp realm \
 			replicate soh sradutmp unix unpack utf8
--- a/raddb/sites-available/default
+++ b/raddb/sites-available/default
@@ -386,7 +386,7 @@
 	#  uncomment it as well; this will further reduce the number of
 	#  LDAP and/or SQL queries for TTLS or PEAP.
 	#
-	eap {
+	-eap {
 		ok = return
 #		updated = return
 	}
@@ -536,7 +536,7 @@
 
 	#
 	#  Allow EAP authentication.
-	eap
+	-eap
 
 	#
 	#  The older configurations sent a number of attributes in
@@ -858,7 +858,7 @@
 		# Insert EAP-Failure message if the request was
 		# rejected by policy instead of because of an
 		# authentication failure
-		eap
+		-eap
 
 		#  Remove reply message if the response contains an EAP-Message
 		remove_reply_message_if_eap
@@ -936,7 +936,7 @@
 	#  hidden inside of the EAP packet, and the end server will
 	#  reject the EAP request.
 	#
-	eap
+	-eap
 
 	#
 	#  If the server tries to proxy a request and fails, then the
--- a/raddb/sites-available/inner-tunnel
+++ b/raddb/sites-available/inner-tunnel
@@ -128,7 +128,7 @@
 	#  for the many packets that go back and forth to set up TTLS
 	#  or PEAP.  The load on those servers will therefore be reduced.
 	#
-	eap {
+	-eap {
 		ok = return
 	}
 
@@ -244,7 +244,7 @@
 
 	#
 	#  Allow EAP authentication.
-	eap
+	-eap
 }
 
 ######################################################################
@@ -432,7 +432,7 @@
 	#  hidden inside of the EAP packet, and the end server will
 	#  reject the EAP request.
 	#
-	eap
+	-eap
 }
 
 } # inner-tunnel server block