1 Solution
Basically yes, RADIUS server is always recommended, FortiAuthenticator for example can offers a scalable solution. You can aim for the most secure one EAP-TLS (user certificate based).
Anyway even if you are using EAP-TTLS/PAP (that is passing the traffic in clear text in inner tunnel) this is still secure because the information is exchanged via the EAP tunnel that encrypts the traffic with TLS. You have to configure manually the supplicant on end devices and be careful to select only the trusted domain and CA to avoid any "honey pot" scenario.
The authentication methods you mentioned are used as part of EAP protocol that is an open standard protocol. Some information can be found here: https://docs.fortinet.com/document/fortiauthenticator/6.5.2/administration-guide/125951/extensible-a...
There are three participants in this communication: Supplicant (end host) <-> Authenticator (FGT) <-> Auth. Server (RADIUS server).
The role of the authenticator (FGT/FAP) is just to translate the requests from EAPoL to RADIUS without worrying too much about the method used. Most of the related configurations are done in the Supplicant and the RADIUS server.
The methods have pros and cons, PEAP/MSCHAPv2 is more popular in windows hosts and EAP-TLS is the most secure, some of them are deprecated.
Basically yes, RADIUS server is always recommended, FortiAuthenticator for example can offers a scalable solution. You can aim for the most secure one EAP-TLS (user certificate based).
Anyway even if you are using EAP-TTLS/PAP (that is passing the traffic in clear text in inner tunnel) this is still secure because the information is exchanged via the EAP tunnel that encrypts the traffic with TLS. You have to configure manually the supplicant on end devices and be careful to select only the trusted domain and CA to avoid any "honey pot" scenario.
