Use EAP-TLS if your VPN clients need to use smart cards or if your enterprise already has a CA in place that issues user certificates.
Use MS-CHAPv2 if you need to use a password-based authentication method, and make sure you force the use of strong passwords using Group Policy.
Use less secure auth protocols like MS-CHAP, CHAP and PAP only if you absolutely must for backward compatibility reasons.
***
Mitch Tulloch is President of MTIT Enterprises, an IT content development company based in Winnipeg, Canada. Prior to starting his own company in 1998, Mitch worked as a Microsoft Certified Trainer (MCT) for Productivity Point International. Mitch is a widely recognized expert on Windows administration, networking and security and has written 14 books and over a hundred articles on various topics. He has been repeatedly awarded Most Valuable Professional (MVP) status by Microsoft for his outstanding contributions in supporting users who deploy Microsoft platforms, products and solutions. Mitch is also a professor at Jones International University (JIU) where he teaches graduate-level courses in Information Security Management (ISM) for their Masters of Business Administration (MBA) program. For more information see http://www.mtit.com.