Authenticate Cisco ASA to Windows 2008 domain

My office has replaced its Windows 2003 domain and domain controllers with Windows 2008.

I have a Cisco ASA 5510 which handles VPN connectivity for our remote users, still integrated with one of the old Windows 2003 DCs running RADIUS.

I need to migrate the ASA from the 2003 domain to the 2008 domain. How do I configure NPS under Windows 2008?

ASA config:

aaa-server NEWDC protocol radius
aaa-server NEWDC host x.x.x.x
key ********

ASA configuration test command:

test aaa-server authentication NEWDC host x.x.x.x

This always returns immediately with a bad user/pass error, for any username. The users exist in AD, are enabled, and the passwords are correct. The key is the same in both Windows and the ASA.

Windows 2008 NPS Radius Client config:

Enabled
Vendor name: RADIUS Standard or Cisco (neither works)
Manual shared secret: ********
(unchecked) Access-Request messages must contain the Message-Authenticator attribute
(unchecked) RADIUS client is NAP-capable

Windows 2008 NPS Connection Request Policy:

Enabled
Processing Order 2 (following Use Windows auth for all users)
Source unspecified
Auth Provider: Local Computer
Auth Method: MS-CHAP v1 or MS-CHAP v2 or Allow unauthenticated
Override Auth: Enabled
Class: OU=Admin;
Framed-Protocol: PPP
Service-Type: Framed

Windows 2008 Network Policy:

Enabled
Processing Order 3 (highest)
Condition Windows Group = DOMAIN\VPN
Ignore User Dial-In Properties: False
Access Permission: Grant Access
Auth method: MS-CHAP v1 or MS-CHAP v2
NAP Enforcement: Allow full network access
Update Noncompliant clients: True
Framed Protocol: PPP
Service-Type: Framed

The newer ASA firmware versions (such as 8.2) support MS-CHAPv2 and others. I was able to turn of PAP and SPAP. Note that the ASA's radius connection 'test' method still uses PAP, and will fail if you've disabled PAP. For authentication however, you don't need the unencrypted protocols anymore.