All versions of NPS (2008 <-> 2012 R2) should behave the same way. Dump below is from a 2012 R2. First a CHAP request is sent, that is rejected, and then PAP is tried. The Event Viewer will also indicate two logins. Subsequent logins are only sent using PAP though. Might be worth a shot to re-create the RADIUS server profile on the firewall. What does a Wireshark trace from the NPS look like? The whole CHAP implementation in 7.0 is pretty silly. The failover only works half the time for the inital logins, it causes massive issues with Multi Factor Authentication solutions using RADIUS Challenge/Response, there's no tickbox to turn it off and completely baffling that CHAP, instead of MS-CHAPv2 is supported..
... View more