configure a Cisco ASA to use MS-CHAP v2 for RADIUS authentication

Cisco ASA5505 8.2(2) Windows 2003 AD server

We want to configure our ASA (10.1.1.1) to authenticate remote VPN users through RADIUS on the Windows AD controller (10.1.1.200)

We have the following entry on the ASA:

aaa-server SYSCON-RADIUS protocol radius
aaa-server SYSCON-RADIUS (inside) host 10.1.1.200
 key *****
 radius-common-pw *****

When I test a login using the account COMPANY\username I see the users credentials are correct in the security log, but I get the following in the windows system logs:

User COMPANY\myusername was denied access.
 Fully-Qualified-User-Name = company.com/CorpUsers/AU/My Name
 NAS-IP-Address = 10.1.1.1
 NAS-Identifier = <not present> 
 Called-Station-Identifier = <not present> 
 Calling-Station-Identifier = <not present> 
 Client-Friendly-Name = ASA5510
 Client-IP-Address = 10.1.1.1
 NAS-Port-Type = Virtual
 NAS-Port = 7
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows 
 Authentication-Server = <undetermined> 
 Policy-Name = VPN Authentication
 Authentication-Type = PAP
 EAP-Type = <undetermined> 
 Reason-Code = 66
 Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.

My assumption is that the ASA is using PAP authentication, instead of MS-CHAP v2; the credentials are confirmed, the proper Remote Access Policy is being used, but this policy is set to only allow MS-CHAP2. What do we need to do on the ASA to make it us MS-CHAP v2? In the ADSM GUI The "Microsoft CHAP v2 compatible" tickbox is enabled, but I don't know what this corresponds to in the config.

[update] I tried to add the following to the tunnel-group:

tunnel-group MYTUNNEL-AD ppp-attributes
 no authentication pap
 no authentication chap
 no authentication ms-chap-v1
 authentication ms-chap-v2

but the "no authentication pap" command doesn't do anything, and doesn't show when I run show tunnel-group... and the ASA is still using PAP.