Then I'm afraid you've hit a crossroads.
You can either try to figure out how to force those Apple clients to request EAP-TTLS(PAP) (seems like some MDM settings do exist for it), or you will have to go back to RADIUS and EAP-PEAP(MSCHAPv2).
As far as FortiAuthenticator goes, it by default has the exact same limitation. When utilizing a general remote LDAP server as the user back-end, only EAP-TTLS(PAP) is assured to work.
It can support MSCHAPv2 (~> PEAP), but this is implemented by joining the FAC to the Windows AD domain (so unlikely to be relevant to your OpenLDAP environment), which allows it to verify the MSCHAPv2 credentials provided by the supplicant through SMB-based communication to the domain controller.
The crux of the issue is that the LDAP protocol does not support MSCHAPv2 authentication. As a consequence any originally EAP or RADIUS authentication that then proxies further to LDAP has to deal with, or avoid, this limitation in one way or another, as it is not possible to translate the MSCHAPv2 payloads into a usable LDAP bindRequest.
[ corrections always welcome ]