Hi,
Sunny and Gary thank you for the time and suggestions, but I have found the root cause of this issue.
One thing that lead me to look in another direction were Security logs. In there I had few audit failure logs. One with event ID 4625 and another with event ID 6273. Search for solution of ID 4625 took me to following forum thread:
https://serverfault.com/questions/608227/authentication-via-radius-mschapv2-error-691
It turned out that I was facing the same issue and it's also documented on microsoft pages:
As NTLMv1 was disabled the server was rejecting MS-CHAPv2 requests. To be more precise, when "Network security: LAN Manager authentication level" option is set to "Send NTLMv2 response only. Refuse LM & NTLM", located under Local Security Policy -> Local Policies -> Security Options, the server was rejecting requests. Once I reduced this to "Send NTLMv2 response only" I could normally logon to mikrotik using radius.
A brief summary is that MS-CHAPv2 needs NTLMv1.
Now this brings me to another question. Under Security Options there are policies that allow exceptions to specific servers regarding this rules, but setting mikrotik router under exceptions didn't allow me to login when "Send NTLMv2 response only. Refuse LM & NTLM" is defined.
Is there a way to use "Send NTLMv2 response only. Refuse LM & NTLM" option but allow NTLMv1 to some servers?
Also, on aforementioned microsoft page there's a suggested solution in which I should define new parameter "Enable NTLMv2 Compatibility" under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy. This approach didn't work with defined "Send NTLMv2 response only. Refuse LM & NTLM" option.