I know this is a little late, but I've come across the same issue, sort of and I thought I would add this comment.
The iDevices will authenticate using MS-CHAP if, as wireless clients, they're sitting on the same VLAN and Subnet as our radius and dhcp server (essentially our main network). As soon as we try it in a different subnet and vlan using some other DHCP server we see the following:
1) with termination on - they use PAP
2) with termination off - they use EAP
Of course, we only want to use MS-CHAP, but don't want them on the same VLAN or subnet. I'm not familiar with how all of this traffic flows around when authenticating, so maybe that's by design. But if anyone has any further insight, I'm a good listener (reader).
I'm in the same situation with the i-APs (ie. no controllers).
Thanks to all!