We can authenticate with EAP-PEAP + MSCHAPv2 as long as passwords are stored in clear-text in SQL database.
MSCHAPv2 is a Challenge Response protocol. To authenticate the client, CPPM sends a Challenge.
The supplicant on the client calculates Response from Challenge sent by CPPM and password entered
by user. Password is not sent over wire.
If the authentication source is SQL database or LDAP database, CPPM also calculates Response and
compares it with the Response sent by client. In order to calculate Response, CPPM needs clear-text
password. If the authentication source is LDAP, the password can also be in NT Hash or LM Hash format.
If the authentication source is AD, CPPM forwards Challenge and client Response to AD for verification.