diff --git a/net/pfSense-pkg-freeradius3/files/usr/local/pkg/freeradius.inc b/net/pfSense-pkg-freeradius3/files/usr/local/pkg/freeradius.inc
index 7244e73bb87c3753a6e0241a86600ad1dfca2b9d..15b1ace1eb0a002aa1171790710aefa4f77982a3 100644
--- a/net/pfSense-pkg-freeradius3/files/usr/local/pkg/freeradius.inc
+++ b/net/pfSense-pkg-freeradius3/files/usr/local/pkg/freeradius.inc
@@ -78,7 +78,6 @@ function freeradius_get_libdir() {
 }
 
 function freeradius_deinstall_command() {
-	global $config;
 	$pidFile = "/var/run/radiusd.pid";
 	$i = 0;
 
@@ -90,17 +89,24 @@ function freeradius_deinstall_command() {
 	}
 
 	/* Remove package settings from config if 'Keep Settings' is disabled */
-	init_config_arr(array('installedpackages', 'freeradiussettings', 'config', 0));
-	if (isset($config['installedpackages']['freeradiussettings']['config'][0]['keep_settings']) &&
-	    empty($config['installedpackages']['freeradiussettings']['config'][0]['keep_settings'])) {
+	if (!config_path_enabled('installedpackages/freeradiussettings/config/0/', 'keep_settings')) {
+		$uninstall = array(
+			'installedpackages/freeradius',
+			'installedpackages/freeradiusauthorizedmacs',
+			'installedpackages/freeradiusclients',
+			'installedpackages/freeradiusinterfaces',
+			'installedpackages/freeradiussettings',
+			'installedpackages/freeradiuseapconf',
+			'installedpackages/freeradiussqlconf',
+			'installedpackages/freeradiusmodulesldap',
+			'installedpackages/freeradiussync'
+		);
+
 		log_error("[freeRADIUS] Removing all FreeRADIUS settings since 'Keep Settings/Data' is disabled...");
-		$uninstall = array('freeradius', 'freeradiusauthorizedmacs', 'freeradiusclients', 'freeradiusinterfaces',
-		'freeradiussettings', 'freeradiuseapconf', 'freeradiussqlconf', 'freeradiusmodulesldap', 'freeradiussync');
-		foreach ($uninstall as $unin) {
-			if (is_array($config['installedpackages'][$unin])) {
-				unset($config['installedpackages'][$unin]);
-			}
+		foreach ($uninstall as $path) {
+			config_del_path($path);
 		}
+
 		rmdir_recursive(FREERADIUS_RADDB, false);
 		write_config("[freeRADIUS] Package uninstalled.");
 	}
@@ -130,26 +136,27 @@ function freeradius_chown_recursive($dir, $user = "root", $group = "wheel") {
 }
 
 function freeradius_upgrade_config() {
-	global $config;
-
 	// FreeRADIUS built-in certificate manager was removed (Bug #7170)
-	if (is_array($config['installedpackages']['freeradiuscerts'])) {
-		unset($config['installedpackages']['freeradiuscerts']);
-		log_error(gettext("freeRADIUS: Removing deprecated built-in certificate manager configuration."));
-	}
-	if (is_array($config['installedpackages']['freeradiuseapconf']['config'][0])) {
-		if (isset($config['installedpackages']['freeradiuseapconf']['config'][0]['vareapconfchoosecertmanager'])) {
-			unset($config['installedpackages']['freeradiuseapconf']['config'][0]['vareapconfchoosecertmanager']);
-		}
-		if (isset($config['installedpackages']['freeradiuseapconf']['config'][0]['vareapconfprivatekeypassword'])) {
-			unset($config['installedpackages']['freeradiuseapconf']['config'][0]['vareapconfprivatekeypassword']);
+	$deprecated_config_paths = array(
+		'installedpackages/freeradiuscerts',
+		'installedpackages/freeradiuseapconf/config/0/vareapconfchoosecertmanager',
+		'installedpackages/freeradiuseapconf/config/0/vareapconfprivatekeypassword'
+	);
+
+	$isremoved = false;
+	foreach ($deprecated_config_paths as $path) {
+		if (config_get_path($path)) {
+			$isremoved = true;
+			config_del_path($path);
 		}
 	}
+
+	if ($isremoved) {
+		log_error(gettext("freeRADIUS: Removed deprecated built-in certificate manager configuration."));
+	}
 }
 
 function freeradius_install_command() {
-	global $config;
-
 	// We create here different folders for different counters.
 	safe_mkdir("/var/log/radacct/datacounter/daily");
 	safe_mkdir("/var/log/radacct/datacounter/weekly");
@@ -282,7 +289,6 @@ EOD;
 }
 
 function freeradius_settings_resync($restart_svc = true) {
-	global $config;
 	$conf = '';
 
 	// put the constant to a variable
@@ -303,11 +309,7 @@ function freeradius_settings_resync($restart_svc = true) {
 		touch("/var/log/radwtmp");
 	}
 
-	if (is_array($config['installedpackages']['freeradiussettings']['config'][0])) {
-		$varsettings = $config['installedpackages']['freeradiussettings']['config'][0];
-	} else {
-		$varsettings = array();
-	}
+	$varsettings = config_get_path('installedpackages/freeradiussettings/config/0', []);
 
 	// Variables: General configuration
 	$varsettingsmaxrequests = ($varsettings['varsettingsmaxrequests'] ?: '1024');
@@ -340,11 +342,7 @@ function freeradius_settings_resync($restart_svc = true) {
 	$varsettingsmaxrequestsperserver = ($varsettings['varsettingsmaxrequestsperserver'] ?: '0');
 
 	// For more details look at freeradius_sqlconf_resync()
-	if (is_array($config['installedpackages']['freeradiussqlconf']['config'][0])) {
-		$sqlconf = $config['installedpackages']['freeradiussqlconf']['config'][0];
-	} else {
-		$sqlconf = array();
-	}
+	$sqlconf = config_get_path('installedpackages/freeradiussqlconf/config/0', []);
 
 	// Dis-/Enable SQL in "instatiate" section in freeradius_settings_resync() and radiusd.conf SQL SERVER 2
 	if ($sqlconf['varsqlconf2includeenable'] == 'on') {
@@ -479,10 +477,9 @@ EOD;
 }
 
 function freeradius_users_resync($via_rpc = false) {
-	global $config;
 	$conf = '';
 
-	$arrausers = config_get_path('installedpackages/freeradius/config', []);
+	$arrusers = config_get_path('installedpackages/freeradius/config', []);
 
 	if (!empty($arrusers)) {
 		foreach ($arrusers as $users) {
@@ -802,7 +799,6 @@ EOD;
 	}
 }
 
-
 function freeradius_authorizedmacs_resync($restart_svc = true, $via_rpc = false) {
 	$conf = '';
 
@@ -1157,16 +1153,11 @@ EOD;
 	}
 }
 
-
-
 function freeradius_eapconf_resync($restart_svc = true) {
-	global $config;
 	$conf = '';
 
-	if (!is_array($config['installedpackages']['freeradiuseapconf']['config'][0])) {
-		$config['installedpackages']['freeradiuseapconf']['config'][0] = array();
-	}
-	$eapconf = & $config['installedpackages']['freeradiuseapconf']['config'][0];
+	$eapconf_path = 'installedpackages/freeradiuseapconf/config/0';
+	$eapconf = config_get_path($eapconf_path);
 
 	// Disable weak EAP types like MD5, and GTC
 	if ($eapconf['vareapconfdisableweakeaptypes'] == '') {
@@ -1194,12 +1185,6 @@ EOD;
 	// Variables: EAP-TLS
 	$vareapconffragmentsize = ($eapconf['vareapconffragmentsize'] ?: '1024');
 	$vareapconfincludelength = ($eapconf['vareapconfincludelength'] ?: 'yes');
-	$vareapconfcountry = ($eapconf['vareapconfcountry'] ?: '');
-	$vareapconfstate = ($eapconf['vareapconfstate'] ?: '');
-	$vareapconfcity = ($eapconf['vareapconfcity'] ?: '');
-	$vareapconforganization = ($eapconf['vareapconforganization'] ?: '');
-	$vareapconfemail = ($eapconf['vareapconfemail'] ?: '');
-	$vareapconfcommonname = ($eapconf['vareapconfcommonname'] ?: 'internal-ca');
 
 	// Variables: Cache
 	$vareapconfcacheenablecache = ($eapconf['vareapconfcacheenablecache'] ?: 'no');
@@ -1221,7 +1206,6 @@ EOD;
 	$vareapconfpeapdefaulteaptype = ($eapconf['vareapconfpeapdefaulteaptype'] ?: 'mschapv2');
 	$vareapconfpeapcopyrequesttotunnel = ($eapconf['vareapconfpeapcopyrequesttotunnel'] ?: 'no');
 	$vareapconfpeapusetunneledreply = ($eapconf['vareapconfpeapusetunneledreply'] ? 1 : 0);
-	$vareapconfpeapsohenable = ($eapconf['vareapconfpeapsohenable'] ?: 'Disable');
 
 	// This is for enable/disbable MS SoH in EAP-PEAP and the virtuial-server "soh-server"
 	if ($eapconf['vareapconfpeapsohenable'] == 'Enable') {
@@ -1238,20 +1222,9 @@ EOD;
 		unlink_if_exists(FREERADIUS_SITESENABLED . "/soh");
 	}
 
-
 	// For pfSense cert manager
 	$ca_cert = lookup_ca($eapconf["ssl_ca_cert"]);
 	if ($ca_cert == false) {
-		if (!is_array($config['ca'])) {
-			$config['ca'] = array();
-		}
-		$a_ca =& $config['ca'];
-
-		if (!is_array($config['cert'])) {
-			$config['cert'] = array();
-		}
-		$a_cert =& $config['cert'];
-
 		/* Generate CA with generic details */
 		$ca = array();
 		$ca['refid'] = uniqid();
@@ -1264,7 +1237,9 @@ EOD;
 		} else {
 			$eapconf["ssl_ca_cert"] = $ca['refid'];
 			$ca_cert = $ca;
+			$a_ca = config_get_path('ca');
 			$a_ca[] = $ca;
+			config_set_path('ca', $a_ca);
 			$cert = array();
 			$cert['refid'] = uniqid();
 			$cert['descr'] = "FreeRADIUS Server Certificate";
@@ -1276,7 +1251,9 @@ EOD;
 				file_notice("FreeRADIUS", gettext("Cannot create temporary FreeRADIUS certificate. Visit Services > FreeRADIUS > EAP tab and configure server certificates in the 'Certificates for TLS' section: " . openssl_error_string()));
 				$cert_error = true;
 			} else {
+				$a_cert = config_get_path('cert');
 				$a_cert[] = $cert;
+				config_set_path('cert', $a_cert);
 				$eapconf["ssl_server_cert"] = $cert['refid'];
 			}
 		}
@@ -1304,7 +1281,7 @@ EOD;
 				file_put_contents(FREERADIUS_CERTS . "/server_key.pem", base64_decode($svr_cert['prv']));
 			}
 			if (base64_decode($svr_cert['crt'])) {
-				file_put_contents(FREERADIUS_CERTS . "/server_cert.pem", 
+				file_put_contents(FREERADIUS_CERTS . "/server_cert.pem",
 					base64_decode($svr_cert['crt']) . "\n" .
 					ca_chain($svr_cert));
 			}
@@ -1354,6 +1331,8 @@ EOD;
 		$vareapconftlsminversion = '1.0';
 	}
 
+	config_set_path($eapconf_path, $eapconf);
+
 	$conf .= <<<EOD
 ### EAP
 eap {
@@ -1682,7 +1661,6 @@ EOD;
 	file_put_contents($filename, $conf);
 	chmod($filename, 0640);
 
-
 	freeradius_sync_on_changes();
 	if ($restart_svc === true) {
 		restart_service("radiusd");
@@ -1691,14 +1669,11 @@ EOD;
 
 // Gets started from freeradiuseapconf.xml
 function freeradius_get_ca_crl() {
-	global $config;
 	$crl_arr = array();
 	$crl_arr[] = array('refid' => 'none', 'descr' => 'none');
 
-	if (is_array($config['crl'])) {
-		foreach ($config['crl'] as $crl) {
-			$crl_arr[] = array('refid' => $crl['refid'], 'descr' => $crl['descr']);
-		}
+	foreach (config_get_path('crl', []) as $crl) {
+		$crl_arr[] = array('refid' => $crl['refid'], 'descr' => $crl['descr']);
 	}
 	return $crl_arr;
 }
@@ -1706,7 +1681,7 @@ function freeradius_get_ca_crl() {
 function freeradius_sqlconf_resync() {
 	$conf = '';
 
-	$sqlconf = config_get_path('installedpackages/freeradiussqlconf/config', []);
+	$sqlconf = config_get_path('installedpackages/freeradiussqlconf/config/0', []);
 
 	// Variables: SQL DATABASE 1
 	$varsqlconfdatabase = ($sqlconf['varsqlconfdatabase'] ?: 'mysql');
@@ -1893,7 +1868,6 @@ sqlcounter expire_on_login {
 	\$INCLUDE \${modconfdir}/sql/counter/\${dialect}/\${.:instance}.conf
 }
 
-
 EOD;
 
 	$filename = FREERADIUS_MODSENABLED . '/sqlcounter';
@@ -1921,7 +1895,8 @@ EOD;
 function freeradius_serverdefault_resync() {
 	$conf = '';
 
-	$arrmodulesldap = config_get_path('installedpackages/freeradiusmodulesldap/config', []);
+	// Get Variables from freeradiusmodulesldap.xml
+	$arrmodulesldap = config_get_path('installedpackages/freeradiusmodulesldap/config/0', []);
 
 	// failover/loadbalancing mode
 	$varmodulesldap2failover = ($arrmodulesldap['varmodulesldap2failover'] ?: 'redundant');
@@ -1983,18 +1958,8 @@ EOD;
 		@unlink_if_exists(FREERADIUS_MODSENABLED . '/ldap');
 	}
 
-	$sqlconf = config_get_path('installedpackages/freeradiussqlconf/config', []);
-
-	$varsqlconfenableauthorize = ($sqlconf['varsqlconfenableauthorize'] ?: 'Disable');
-	$varsqlconfenableaccounting = ($sqlconf['varsqlconfenableaccounting'] ?: 'Disable');
-	$varsqlconfenablesession = ($sqlconf['varsqlconfenablesession'] ?: 'Disable');
-	$varsqlconfenablepostauth = ($sqlconf['varsqlconfenablepostauth'] ?: 'Disable');
-
-	// Get Variables from freeradiussqlconf.xml for DATABASE 2
-	$varsqlconf2enableauthorize = ($sqlconf['varsqlconf2enableauthorize'] ?: 'Disable');
-	$varsqlconf2enableaccounting = ($sqlconf['varsqlconf2enableaccounting'] ?: 'Disable');
-	$varsqlconf2enablesession = ($sqlconf['varsqlconf2enablesession'] ?: 'Disable');
-	$varsqlconf2enablepostauth = ($sqlconf['varsqlconf2enablepostauth'] ?: 'Disable');
+	// Get Variables from freeradiussqlconf.xml for DATABASE 1
+	$sqlconf = config_get_path('installedpackages/freeradiussqlconf/config/0', []);
 
 	// authorize section DATABASE 2
 	if (($sqlconf['varsqlconf2includeenable'] == 'on') && ($sqlconf['varsqlconf2enableauthorize'] == 'Enable')) {
@@ -2108,7 +2073,9 @@ EOD;
 		$varsqlconfpostauthtypereject = '# sql';
 	}
 
-	$varsettings = config_get_path('installedpackages/freeradiussettings/config', []);
+	// Changing authorize section for plain mac auth
+	// Variables: If not using 802.1x, mac address must be known
+	$varsettings = config_get_path('installedpackages/freeradiussettings/config/0', []);
 
 	// If unchecked we need the normal EAP section.
 	if (!$varsettings['varsettingsenablemacauth']) {
@@ -2209,7 +2176,6 @@ EOD;
 		} // endforeach
 	} // endif empty
 
-
 	$conf .= <<<EOD
 
 authorize {
@@ -2415,50 +2381,43 @@ EOD;
 
 /* Uses XMLRPC to synchronize the changes to a remote node */
 function freeradius_sync_on_changes() {
-	global $config;
-
-	if (is_array($config['installedpackages']['freeradiussync'])) {
-		$synconchanges = $config['installedpackages']['freeradiussync']['config'][0]['varsyncenablexmlrpc'];
-		$varsynctimeout = $config['installedpackages']['freeradiussync']['config'][0]['varsynctimeout'] ?: '150';
-	} else {
-		return;
-	}
+	$synconchanges = config_get_path('installedpackages/freeradiussync/config/0/varsyncenablexmlrpc');
+	$varsynctimeout = config_get_path('installedpackages/freeradiussync/config/0/varsynctimeout') ?: '150';
 
 	// if checkbox is NOT checked do nothing
 	switch ($synconchanges) {
 		case "manual":
-			if (is_array($config['installedpackages']['freeradiussync']['config'][0]['row'])) {
-				$rs = $config['installedpackages']['freeradiussync']['config'][0]['row'];
-			} else {
+			$rs = config_get_path('installedpackages/freeradiussync/config/0/row');
+			if (!is_array($rs)) {
 				log_error("[FreeRADIUS]: XMLRPC sync is enabled but there are no hosts configured as replication targets.");
 				return;
 			}
 			break;
 		case "auto":
-			if (is_array($config['hasync'])) {
-				$system_carp = $config['hasync'];
-				$rs[0]['varsyncipaddress'] = $system_carp['synchronizetoip'];
-				$rs[0]['varsyncusername'] = $system_carp['username'];
-				$rs[0]['varsyncpassword'] = $system_carp['password'];
-				$rs[0]['varsyncdestinenable'] = FALSE;
-
-				// XMLRPC sync is currently only supported over connections using the same protocol and port as this system
-				if ($config['system']['webgui']['protocol'] == "http") {
-					$rs[0]['varsyncprotocol'] = "http";
-					$rs[0]['varsyncport'] = $config['system']['webgui']['port'] ?: '80';
-				} else {
-					$rs[0]['varsyncprotocol'] = "https";
-					$rs[0]['varsyncport'] = $config['system']['webgui']['port'] ?: '443';
-				}
-				if ($system_carp['synchronizetoip'] == "") {
-					log_error("[FreeRADIUS]: XMLRPC CARP/HA sync is enabled but there are no system backup hosts configured as replication targets.");
-					return;
-				} else {
-					$rs[0]['varsyncdestinenable'] = TRUE;
-				}
+			$system_carp = config_get_path('hasync');
+			if (!is_array($system_carp)) {
+				log_error("[FreeRADIUS]: XMLRPC CARP/HA sync is enabled but there are no system backup hosts configured as replication targets.");
+				return;
+			}
+
+			$rs[0]['varsyncipaddress'] = $system_carp['synchronizetoip'];
+			$rs[0]['varsyncusername'] = $system_carp['username'];
+			$rs[0]['varsyncpassword'] = $system_carp['password'];
+			$rs[0]['varsyncdestinenable'] = FALSE;
+
+			// XMLRPC sync is currently only supported over connections using the same protocol and port as this system
+			if (config_get_path('system/webgui/protocol') == "http") {
+				$rs[0]['varsyncprotocol'] = "http";
+				$rs[0]['varsyncport'] = config_get_path('system/webgui/port') ?: '80';
 			} else {
+				$rs[0]['varsyncprotocol'] = "https";
+				$rs[0]['varsyncport'] = config_get_path('system/webgui/port') ?: '443';
+			}
+			if ($system_carp['synchronizetoip'] == "") {
 				log_error("[FreeRADIUS]: XMLRPC CARP/HA sync is enabled but there are no system backup hosts configured as replication targets.");
 				return;
+			} else {
+				$rs[0]['varsyncdestinenable'] = TRUE;
 			}
 			break;
 		default:
@@ -2511,8 +2470,6 @@ if (!function_exists('pf_version')) {
 
 /* Do the actual XMLRPC sync */
 function freeradius_do_xmlrpc_sync($sync_to_ip, $username, $password, $varsyncport, $varsyncprotocol, $varsynctimeout) {
-	global $config, $g;
-
 	/* Detect boot process, do nothing during boot. */
 	if (platform_booting()) {
 		return;
@@ -2529,8 +2486,8 @@ function freeradius_do_xmlrpc_sync($sync_to_ip, $username, $password, $varsyncpo
 	$syncsections = array('freeradius', 'freeradiusauthorizedmacs', 'freeradiusclients', 'freeradiusinterfaces',
 	'freeradiussettings', 'freeradiuseapconf', 'freeradiussqlconf', 'freeradiusmodulesldap');
 	foreach ($syncsections as $section) {
-		if (is_array($config['installedpackages'][$section])) {
-			$xml[$section] = $config['installedpackages'][$section];
+		if (is_array(config_get_path("installedpackages/{$section}"))) {
+			$xml[$section] = config_get_path("installedpackages/{$section}");
 		}
 	}
 
@@ -2570,7 +2527,7 @@ function freeradius_do_xmlrpc_sync($sync_to_ip, $username, $password, $varsyncpo
 		$msg = new XML_RPC_Message($method, $params);
 		$cli = new XML_RPC_Client('/xmlrpc.php', $url, $port);
 		$cli->setCredentials($username, $password);
-		if ($g['debug']) {
+		if (g_has('debug')) {
 			$cli->setDebug(1);
 		}
 		/* Send our XMLRPC message and timeout after defined sync timeout value */
@@ -2635,7 +2592,6 @@ function freeradius_all_after_XMLRPC_resync() {
 }
 
 function freeradius_modulescounter_resync() {
-	global $config;
 	$conf = '';
 
 	$conf .= <<<EOD
@@ -2696,7 +2652,6 @@ EOD;
 }
 
 function freeradius_modulesmschap_resync() {
-	global $config;
 	$conf = '';
 
 	$conf .= <<<EOD
@@ -2748,7 +2703,6 @@ EOD;
 }
 
 function freeradius_modulesrealm_resync() {
-	global $config;
 	$conf = '';
 
 	$conf .= <<<EOD
@@ -2794,11 +2748,10 @@ EOD;
 }
 
 function freeradius_modulesldap_resync($restart_svc = true) {
-	global $config;
 	$raddb = FREERADIUS_RADDB;
 	$conf = '';
 
-	$arrmodulesldap = config_get_path('installedpackages/freeradiusmodulesldap/config', []);
+	$arrmodulesldap = config_get_path('installedpackages/freeradiusmodulesldap/config/0', []);
 
 	// Enable and Disable LDAP for "authorize" and "authenticate" will be done in freeradius_serverdefault_resync()
 	// redundatnt-load-balancing will there be done, too
@@ -2905,7 +2858,6 @@ EOD;
 	}
 
 	// Miscellaneous Configuration + MS Active Directory Compatibility ldap1
-	$varmodulesldapmsadcompatibilityenable = ($arrmodulesldap['varmodulesldapmsadcompatibilityenable'] ?: 'Disable');
 	if ($arrmodulesldap['varmodulesldapmsadcompatibilityenable'] == 'Disable') {
 		$varmodulesldapmsadcompatibility = '### MS Active Directory Compatibility is disabled ###';
 	} else {
@@ -2918,7 +2870,6 @@ EOD;
 	}
 
 	// Miscellaneous Configuration + MS Active Directory Compatibility ldap2
-	$varmodulesldap2msadcompatibilityenable = ($arrmodulesldap['varmodulesldap2msadcompatibilityenable'] ?: 'Disable');
 	if ($arrmodulesldap['varmodulesldap2msadcompatibilityenable'] == 'Disable') {
 		$varmodulesldap2msadcompatibility = '### MS Active Directory Compatibility is disabled ###';
 	} else {
@@ -3303,11 +3254,8 @@ EOD;
 }
 
 function freeradius_plainmacauth_resync() {
-	global $config;
-	$conf = '';
-
 	// Variables: If not using 802.1x, mac address must be known
-	$varsettings = config_get_path('installedpackages/freeradiussettings/config', []);
+	$varsettings = config_get_path('installedpackages/freeradiussettings/config/0', []);
 
 	// defining variables with filename path
 	$filemodulesfiles = FREERADIUS_MODSENABLED . '/files';
@@ -3359,7 +3307,6 @@ EOD;
 }
 
 function freeradius_modulesfiles_resync() {
-	global $config;
 	$conf = '';
 
 	$conf .= <<<EOD
@@ -3389,10 +3336,10 @@ EOD;
 }
 
 function freeradius_motp_resync() {
-	global $config, $bash_path;
+	global $bash_path;
 	$conf = '';
 
-	$varsettings = config_get_path('installedpackages/freeradiussettings/config', []);
+	$varsettings = config_get_path('installedpackages/freeradiussettings/config/0', []);
 
 	$varsettingsmotptimespan = ($varsettings['varsettingsmotptimespan'] ?: '2');
 	$varsettingsmotptimespanbeforeafter = $varsettingsmotptimespan + $varsettingsmotptimespan;
@@ -3532,7 +3479,7 @@ EOD;
 }
 
 function freeradius_modulesmotp_resync() {
-	global $config, $bash_path;
+	global $bash_path;
 	$conf = '';
 
 	// put the constant to a variable
@@ -3555,7 +3502,6 @@ EOD;
 }
 
 function freeradius_modulesgoogleauth_resync() {
-	global $config;
 	$conf = '';
 
 	// put the constant to a variable
@@ -3585,7 +3531,6 @@ EOD;
 }
 
 function freeradius_modulesdatacounter_resync() {
-	global $config;
 	$conf = '';
 
 	// put the constant to a variable
@@ -3618,7 +3563,6 @@ EOD;
 }
 
 function freeradius_datacounter_auth_resync() {
-	global $config;
 	$conf = '';
 
 	$conf .= <<<EOD
@@ -3628,7 +3572,6 @@ function freeradius_datacounter_auth_resync() {
 USERNAME=`echo -n "\\$1" | sed 's/[^0-9a-zA-Z._:-]/X/g' `
 TIMERANGE=`echo -n "\\$2" | sed 's/[^a-z]//g' `
 
-
 ### This is to make sure there is a used-octets file after the cronjob resetted the counter
 if [ -e "/var/log/radacct/datacounter/\$TIMERANGE/max-octets-\$USERNAME" ] && [ ! -e "/var/log/radacct/datacounter/\$TIMERANGE/used-octets-\$USERNAME" ]; then
 	echo 0 > "/var/log/radacct/datacounter/\$TIMERANGE/used-octets-\$USERNAME"
@@ -3656,7 +3599,6 @@ EOD;
 }
 
 function freeradius_datacounter_acct_resync() {
-	global $config;
 	$conf = '';
 
 	$conf .= <<<EOD
@@ -3715,7 +3657,6 @@ EOD;
 }
 
 function freeradius_dictionary_resync() {
-	global $config;
 	$conf = '';
 
 	$conf .= <<<EOD
@@ -3740,7 +3681,6 @@ EOD;
 
 /* Users input validation */
 function freeradius_validate_users($post, &$input_errors) {
-
 	// Username
 	if (($post['varusersmotpenable'] == 'on') && !preg_match('/^[a-zA-Z0-9_.-]*$/', $post['varusersusername'])) {
 		$input_errors[] = "The 'Username' field may only contain a-z, A-Z, 0-9, underscore, period and hyphen (regex /^[a-zA-Z0-9_.-]*$/).";
@@ -3948,7 +3888,6 @@ function freeradius_validate_users($post, &$input_errors) {
 
 /* MACs input validation */
 function freeradius_validate_macs($post, &$input_errors) {
-
 	// MAC Address
 	if (!empty($post['varmacsaddress'])) {
 		if (!preg_match('/^[0-9A-F]{2}(?:[-:][0-9A-F]{2}){5}$/i', $post['varmacsaddress'])) {
@@ -4111,7 +4050,6 @@ function freeradius_validate_macs($post, &$input_errors) {
 
 /* NAS/Clients input validation */
 function freeradius_validate_clients($post, &$input_errors) {
-
 	// Client IP Address
 	if ($post['varclientip'] != '*') {
 		if (preg_match('/^(.+)\/(\d+)$/',$post['varclientip'], $matches)) {
@@ -4156,7 +4094,6 @@ function freeradius_validate_clients($post, &$input_errors) {
 
 /* Interfaces input validation */
 function freeradius_validate_interfaces($post, &$input_errors) {
-
 	// Interface IP Address
 	if (empty($post['varinterfaceip'])) {
 		$input_errors[] = "The 'Interface IP Address' field must not be empty.";
@@ -4192,7 +4129,6 @@ function freeradius_validate_interfaces($post, &$input_errors) {
 
 /* General Settings input validation */
 function freeradius_validate_settings($post, &$input_errors) {
-	global $config;
 	// Maximum Requests Tracked
 	if ($post['varsettingsmaxrequests'] != '' && !is_numericint($post['varsettingsmaxrequests'])) {
 		$input_errors[] = "The 'Maximum Requests Tracked' field must contain an integer value.";
@@ -4290,7 +4226,6 @@ function freeradius_validate_settings($post, &$input_errors) {
 
 /* EAP settings input validation */
 function freeradius_validate_eap($post, &$input_errors) {
-
 	// Disable Weak EAP Types sanity check
 	if ($post['vareapconfdisableweakeaptypes'] == 'on') {
 		if (in_array($post['vareapconfdefaulteaptype'], array('md5', 'gtc'))) {
@@ -4346,7 +4281,6 @@ function freeradius_validate_eap($post, &$input_errors) {
 
 /* SQL settings input validation */
 function freeradius_validate_sql($post, &$input_errors) {
-
 	// SQL Server Address
 	if ($post['varsqlconfincludeenable'] == 'on') {
 		if (empty($post['varsqlconfserver'])) {
@@ -4460,11 +4394,8 @@ function freeradius_validate_sql($post, &$input_errors) {
 
 }
 
-
 /* LDAP settings input validation */
 function freeradius_validate_ldap($post, &$input_errors) {
-	global $config;
-
 	// LDAP Server Address
 	if ($post['varmodulesldapenableauthorize'] == 'on') {
 		if (empty($post['varmodulesldapserver'])) {
@@ -4585,10 +4516,9 @@ function freeradius_validate_ldap($post, &$input_errors) {
 }
 
 function freeradius_plugin_certificates($pluginparams) {
-	global $config;
 	$result = array();
 	init_config_arr(array('installedpackages', 'freeradiuseapconf', 'config'));
-	$eapconf = $config['installedpackages']['freeradiuseapconf']['config'][0];
+	$eapconf = config_get_path('installedpackages/freeradiuseapconf/config/0', []);
 
 	if (($pluginparams['type'] == 'certificates') && !empty($eapconf)) {
 		if (($pluginparams['event'] == 'used_ca') && !empty($eapconf['ssl_ca_cert'])) {