When set to 'YES', unencrypted as well as encrypted Tunnel-Password, from RADIUS, is accepted. When set to 'NO' only encrypted Tunnel-Password, from RADIUS, is accepted. But as per RFC 2868 the Tunnel-Password MUST be encrypted by RADIUS before sending out.