There have been many forum topics requesting RADIUS security improvements, going back 10+ years.
RouterOS currently uses MS-CHAPv2 for RADIUS login, including WebFig, SSH and API access. There is no setting allowing users to change to any other authentication method.
MS-CHAPv2 is not supported by many modern identity providers. It requires the RADIUS backend to store either the user’s cleartext password or the NT hash of it. The NT hash is password-equivalent, so storing it is much worse security. Modern IdP’s use one-way password encryption so exposure of password material doesn’t permit login.
With PAP, the RADIUS server receives the submitted password for that login attempt and can verify it against its normal password backend, without having to store NT hashes.
ROS should support more than a single RADIUS authentication protocol. Please add support for selecting the preferred one for RouterOS management login, especially PAP, because many RADIUS providers don’t support MS-CHAPv2.
You should send this feature request directly to Mikrotik, while from time to time the developers read the forum, there Is no guarantee they will ever see this thread.