I'm very confused about how all this works and was hoping someone could help me out.

I followed a bunch of online tutorials to setup RADIUS authentication on a Cisco router and pointed it to a Windows NPS. I can now ssh into the router my with AD account.

Now that I got it working I'm going over the settings to make sure everything is secure.

On my router the config is pretty simple:

aaa new-model
aaa group server radius WINDOWS_NPS
server-private 123.123.123.123 auth-port 1812 acct-port 1813 key mykey
aaa authentication login default local group WINDOWS_NPS

ip domain-name MyDom
crypto key generate rsa

(under vty and console)# login authentication default

  On the Windows NPS:

• I created a new RADIUS client for the router.
• Created a shared secret and specified Cisco as Vendor Name.
• Created a new Network Policy with my desired conditions.
• And now the part of the Network Policy config that worries me:

So initially I thought my AD credentials were being sent over the wire in plain text, but I did a capture and saw this:

How is my password being encrypted and how strong is the encryption?

Another thing is how can I configure aaa authentication with mschapv2? The documentation I saw for mschapv2 uses the "ppp authentication ms-chap-v2" command, but I'm not using ppp I'm using aaa with a radius server.