Passwords are sent in clear TXT, correct. There have been efforts to resolve this for other technologies like WiFi which allows PEAP, EAP-TLS, EAP-TTLS - but there is no way to do this for a portal login.
I'm not seeing what you guys are talking about. My first example up there was using the test button on the radius server config for the SSID. Here's another from actually entering the creds into the splash page. The pass is not in clear text.
I just tested using tcpdump like you did. You're right the password is not passed in plain text, however try running freeradius in debug mode and you will see the unhashed password in the User-Password attribute of the request. I think Meraki simply XORs the password with the freeradius server secret, which is better than nothing, but still very insecure.
On transmission, the password is hidden. The password is first
padded at the end with nulls to a multiple of 16 octets. A one-
way MD5 hash is calculated over a stream of octets consisting of
the shared secret followed by the Request Authenticator. This
value is XORed with the first 16 octet segment of the password and
placed in the first 16 octets of the String field of the User-
If the password is longer than 16 characters, a second one-way MD5
hash is calculated over a stream of octets consisting of the
shared secret followed by the result of the first xor. That hash
is XORed with the second 16 octet segment of the password and
placed in the second 16 octets of the String field of the User-
If necessary, this operation is repeated, with each xor result
being used along with the shared secret to generate the next hash
to xor the next segment of the password, to no more than 128
The method is taken from the book "Network Security" by Kaufman,
Perlman and Speciner  pages 109-110.