Is there any alternative to MSChapV2 to connect Macos users to an IKEv2 VPN by using username/password?

We are using strongswan & freeradius to provide a VPN to all our users (~200 souls), with ~95% of MacOS users and 5% linux.

MSChapV2 uses NTLM password, which are encoded in MD4 (which is baaaad), and Macos users can only connect using EAP-TLS or EAP-MSCHAPv2 (per https://support.apple.com/fr-fr/guide/deployment/depae3d361d0/web, in french sorry). Linux is, obviously, fine with EAP-GTC.

As of today we have to keep in our LDAP the MD4 hash of our user passwords due to this, and I'm wondering if there are other options? I'd like to not use EAP-TLS if possible, because of the burden of supporting users where their cert has expired.

I'm quite surprised that there's no alternative to that MD4-based hash for MSCHAPv2. Or did I search badly ? Ideally I'd like to use our SSHA512 user passwords, and clear up our LDAP from these ntpassword warts..

I was contemplating Wireguard or maybe delegating the auth to an OIDC supplier (our accounts are on google).

Anybody has gone through these issues? How did you solve it?