Just wisht to ask what is the default encryption used by ASA when exchanging username/password with a radius server (Windows server). And is there a way to change the encryption (3des to aes-128)?
RADIUS as a protocol uses an MD5 based "hiding" mechanism to encrypt the password attributes. It is a well known issue with that communication.
To make sure that traffic is encrypted I believe the best thing to do is to establish a IPSec tunnel between the server and the authenticating devices.
I hope it helps.