While PAP passwords remain in plaintext in the "inner-tunnel" the 802.1x SSL tunnel, in either TTLS or PEAP, exists from the users' supplicant all the way back to the home RADIUS server. All EAP authentication traffic, including the plaintext password, is encrypted within the SSL tunnel which terminates on the RADIUS server itself. At that point the only users who should have access to the un-encrypted traffic are local administrators/users on the RADIUS server itself. From there the transit to/from the directory service (IdP) must be secured according to local policy.
With CHAP the security challenge rests in the secure storage of unencrypted passwords at rest, rather than in the transit of the credentials over the network. This must be addressed by institution specific security policy.