For authentication of administrators to management interface, SWG can use RADIUS with either PAP or CHAP. This is quite poor choice, because both are bad. CHAP is useless for most companies authenticating against Active Directory, because it requires storing user passwords in reversible form - a non-recommended thing which is not used by most organizations. And PAP represents a security problem: an IT staff member who has access to RADIUS server (in MS networks, Windows Server with IAS or NPS) and can intercept traffic, can decode passwords of authenticating users. This conflicts with many typical security policies which often strictly disable gaining access to passwords of different users.
Supporting things like MS-CHAPv2, EAP-MS-CHAPv2, or PEAP-EAP-MS-CHAPv2 would be much better. (The last one requires server certificate.)