diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSUser.xml b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSUser.xml
index ea4848a834..e6fc8d7484 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSUser.xml
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSUser.xml
@@ -17,6 +17,13 @@
passwordSet the password for the user. Allowed characters are 0-9, a-z, A-Z, and ,._-!$%/()+#= with up to 128 characters.
+
+ user.passwordencryption
+
+ dropdown
+ true
+ Cleartext-Password The password will be stored in plaintext. This may be less secure than alternatives. Works with all RADIUS authentication protocols. NT-Password (pre-hashed) An NT hash of the password will be stored. First the NT hash of the password should be generated; this will be a string such as 469DCB69D4A58A5F29272787713D96F8. Then the hash (not the password) should be entered into the password field above. A command such as smbencrypt secret123 may be used to generate the pre-hashed NT Password. Works with the following RADIUS authentication protocols: PEAP, EAP-MSCHAPv2, EAP-GTC, PAP, MS-CHAP, Cisco LEAP.]]>
+ user.description
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml
index 616b946b9e..506ab2d3f9 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml
@@ -1,7 +1,7 @@
//OPNsense/freeradius/userFreeRADIUS user configuration
- 1.0.3
+ 1.0.4
@@ -17,6 +17,15 @@
Y/^([0-9a-zA-Z._\-\!\$\%\/\(\)\+\#\=\{\}]){1,128}$/u
+
+ Cleartext-Password
+ Y
+ N
+
+ Cleartext-Password
+ NT-Password (pre-hashed)
+
+ N
diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/users b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/users
index a7c46550e6..ff9a97916f 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/users
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/users
@@ -3,7 +3,7 @@
{% for user_list in helpers.toList('OPNsense.freeradius.user.users.user') %}
{% if user_list.enabled == '1' %}
-{{ user_list.username }} Cleartext-Password := "{{ user_list.password }}"{% if helpers.exists('OPNsense.freeradius.general.sessionlimit') and OPNsense.freeradius.general.sessionlimit == '1' %}{% if user_list.sessionlimit_max_session_limit is defined %}, Max-Daily-Session := {{ user_list.sessionlimit_max_session_limit }}{% endif %}{% endif %}{% if user_list.simuse is defined %}, Simultaneous-Use := "{{ user_list.simuse }}"{% endif %}{% if user_list.logintime is defined %}, Login-Time := "{{ user_list.logintime }}"{% endif %}
+{{ user_list.username }} {{ user_list.passwordencryption }} := "{{ user_list.password }}"{% if helpers.exists('OPNsense.freeradius.general.sessionlimit') and OPNsense.freeradius.general.sessionlimit == '1' %}{% if user_list.sessionlimit_max_session_limit is defined %}, Max-Daily-Session := {{ user_list.sessionlimit_max_session_limit }}{% endif %}{% endif %}{% if user_list.simuse is defined %}, Simultaneous-Use := "{{ user_list.simuse }}"{% endif %}{% if user_list.logintime is defined %}, Login-Time := "{{ user_list.logintime }}"{% endif %}
{% if user_list.ip is defined %}
Framed-IP-Address = {{ user_list.ip }},