Usefulness of checking MS-CHAP-Challenge by TTLS Server

I've spotted what may be a "missed opportunity" in the EAP-TTLS specification for "Challenge"-based authentication protocols (for instance MS-CHAP-V2).

The client initiates MS-CHAP-V2 by tunneling User-Name, MS-CHAP-
Challenge, and MS-CHAP2-Response AVPs to the TTLS server.  The MS-
CHAP-Challenge value is taken from the challenge material.

Upon receipt of these AVPs from the client, the TTLS server MUST
verify that the value of the MS-CHAP-Challenge AVP and the value of
the Ident in the client's MS-CHAP2-Response AVP are equal to the
values generated as challenge material.

In short, the TTLS Server checks the MS-CHAP-Challenge and 'Ident' field of MS-CHAP2-Response to ensure they match its own precomputed value. Client and TTLS Server, should both have identical values based on the TLS tunnel between them.

The implication is that this is to prevent against man in the middle attacks whereby an attacker intercepts the authentication attempt and spoofs her own tunnel. In such a case the MS-CHAP-Challenge and 'Ident' values would not match. But presumably in such a case an attacker could also rewrite MS-CHAP-Challenge and 'Ident' to suit her needs. The authentication process whereby MS-CHAP2-Response is more fully inspected by the authentication server would eventually uncover this deceit, but it does call into question the role of the TTLS Server.

It also provides for the possibility of an "Evil" TTLS Server, who is acting as a Man in the Middle, unbeknownst to the the client, or authentication-server parties.

Eventually you could expect this deceit also to be uncovered by the mutual authentication phase of MS-CHAP-V2, but this is the only "inner" protocol that actually provides this.

I would expect that the imposter could be uncovered more quickly however by the client withholding their MS-CHAP-Challenge value, and then the TTLS Server itself providing this value to the authentication server instead, thus proving to the authentication server that all parties in the chain are legitimate.

In a nutshell: Could the overall security provided by EAP-TTLS challenge authentication be improved by a slight tweak to the specification, whereby the client witholds their raw challenge value (MS-CHAP-Challenge), and the TTLS Server is then forced to provide it to the authentication server alongside MS-CHAP2-Response from the client?