We actually used to support CHAP, but it cannot work with MFA due to the way it hashes the password. Essentially, CHAP would hash the Password+OTP, leaving us with no way to validate it on the server side.
CHAP primarily helps prevent replay attacks, which is great. However, it doesn't stop someone from impersonating a user if their username and password have been compromised. That said, when we add MFA to PAP, we not only get protection from replay attacks but also safeguard against compromised usernames and passwords.
Do you have a specific requirement for CHAP? While it's possible that CHAP could work with automatic push authentication (since no password is entered), we generally don't support it anymore because it doesn't allow for any other authentication options.