I haven't worked with OpenBSD in this context, but I've setup 802.1X auth for layer-2 wireless. It's LDAP backed. We happen to also run a samba3 domain, so LDAP also stores NTLM hashes. I'm not a radius expert, but the only mechanism that seems to be able to deal with non clear passwords seem to have to deal with NTLM hashes. If there isn't a way to pass the auth request through some kind of layer that will give you a pass/fail response, I'm pretty sure you're stuck with having to store your radius passwords in the clear.
-Stephen
