If you pick RADIUS authentication to validate the Captive Portal users, the current release of Zeroshell uses PAP (Password Authentication Protocol).
This authentication method sends the user passwords on the network just encrypted with a symmetric salted key based on the RADIUS shared secret.
For some organizations, PAP can provide an unsatisfactory security level, because the password could be discovered by using a network analyzer such as a sniffer.
To solve this problem, in the download section http://www.zeroshell.net/eng/download/ you can get a patch for the release 1.0.beta7 of Zeroshell which enables EAP-TTLS RADIUS authentication with PAP inner authentication for the Captive Portal.
The advantage of this authentication method is that the PAP messages are encapsulated in a TLS encrypted tunnel. This technique, already used in the protected WiFi accesses such as 802.1X, WPA and RSN, improves the security level of the authentication with the Captive Portal against a RADIUS server, because the user credentials cannot be captured by using a network sniffer.
To apply this patch that uses the wpa_supplicant package, you should use the following shell commands: