Here are the authentication policies that I use for the NPS server
Here are the client group policy settings
I should also mention that I saw there were option to specify authentication methods in the "Connection Request Policy" of the NPS server but that is all disabled and all authentication happens in the "Network Policies"
As for the reversible encryption it does not apply if you use MSCHAPv2 as you can see here
. Also when I was getting into this I was confused originally and thought that if we don't use a strongly encrypted authentication protocol your password will just be flying through the air in clear text. As it turns out PEAP acts like HTTPS for wireless authentication so everything dealing with authentication is encrypted in an SSL tunnel. This means you can pass your password though in clear text and the PEAP tunnel will protect it. After that happens you WiFI encryption (WPA/WPA2) kicks in and protects everything else.