diff --git a/routlin/mod_radius.py b/routlin/mod_radius.py
index fb245db..9ea6e3e 100644
--- a/routlin/mod_radius.py
+++ b/routlin/mod_radius.py
@@ -258,12 +258,16 @@ def set_freeradius_eap(data):
     allow_weak_eap = eap_cfg.get('allow_weak_eap', False)
     content  = RADIUS_EAP_FILE.read_text()
     tr_val   = 'yes' if tunneled_reply else 'no'
+    eap_type = 'md5' if allow_weak_eap else 'peap'
     content2 = re.sub(r'(?m)^(\s*use_tunneled_reply\s*=\s*)(yes|no)', rf'\g<1>{tr_val}', content)
-    content3 = toggle_freeradius_block(content2, 'md5', allow_weak_eap)
-    if content3 == content:
+    # Only replace the first occurrence -- that is the outer eap{} block's default.
+    # Inner blocks (e.g. peap's tunneled default) must not be touched.
+    content3 = re.sub(r'(?m)^(\s*default_eap_type\s*=\s*)\w+', rf'\g<1>{eap_type}', content2, count=1)
+    content4 = toggle_freeradius_block(content3, 'md5', allow_weak_eap)
+    if content4 == content:
         return False
-    RADIUS_EAP_FILE.write_text(content3)
-    print(f"EAP: tunneled_reply={tr_val}, allow_weak_eap={allow_weak_eap}")
+    RADIUS_EAP_FILE.write_text(content4)
+    print(f"EAP: default_eap_type={eap_type}, tunneled_reply={tr_val}, allow_weak_eap={allow_weak_eap}")
     return True