Please make winbox logins with radius as a backend not CHAP-only.
CHAP seems like a good idea at first, until you have to severely compromise password security on the radius server by storing all passwords in cleartext.
Also, usage of two factor authentication is not possible with CHAP.
So please enable use of PAP for that. SSH and telnet already do this, I'm not sure on why winbox doesn't.