Transactions between the client and RADIUS server are authenticated through the use of a shared secret, which is never sent over the network. In addition, any user passwords are sent encrypted between the client and RADIUS server, to eliminate the possibility that someone snooping on an unsecured network could determine a user's password.
The IAS use PAP/clear text is for Microsoft remote access or PPTP VPN.
When you config microsoft Radius server, you need choose PAP/clear text because Radius protocol using its own way to encrypte the password. CHAP or MSCHAP has MD5 one way hash will affect Radius's encryption process.
User authentication is happened after the group authentication which is the IPSEC phase 1 negotiation, so the user name and password between the PIX and remote VPN client is protected by DES or 3DES encryption.
All in one word, there is no security issue need to be worried.
Best Regards,