Just a quick note about a gotcha, which will hopefully help someone searching for the answer…
In FreeRADIUS 2, if you want to use a Certificate Revocation List (CRL) along with the EAP module, then following the instructions in the eap configuration file will get you nowhere.
Instead of setting up a directory and hashing it using the openssl tools, just append the CRL in PEM format to the end of your trusted root CA file. Then, when the openssl libs load the CA they will also load the CRL. You should still have check_crl set to yes, though.
Thanks to Mike Griego at University of Texas at Dallas for posting this workaround on the FreeRADIUS users mail list.