I had this problem too and found out via Wireshark Capture that MD5 EAP Type is being used. This is odd as the regular WPA2-Enterprise RADIUS uses EAP-PEAP while the Captive Portal Uses EAP-MD5, a relatively insecure protocol to be using for this purpose.
Nonetheless, I am authenticating against NPS Service in Windows Server 2012 R2, and in order to get MD5-Challenge to appear as an option for Authentication Method in your Network Policy, you must add this feature back into the Windows Registry and restart the NPS Service.
After this is done, you must enable "Store Password Using Reversible Encryption" on the Active Directory user account you are going to be using for the Captive Portal, and then reset the password (even if you are going to be using the same password) to allow Active Directory to regenerate a new hash that allows for reversible encryption, otherwise you will get either "IAS_AUTH_FAILURE" or "No reversibly encrypted password is stored for the user account"
After all this is done, you should be able to login via your Domain Credentials and get an "IAS_SUCCESS" in your log.
Here is the registry key that must be imported to enable EAP-MD5 in Windows NPS. Simply copy and paste into Notepad and save it as a .REG file.
Note: This has only been tested on Windows Server 2012 R2.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\4]
"FriendlyName"="MD5-Challenge"
"Path"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\
00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,52,00,\
61,00,73,00,63,00,68,00,61,00,70,00,2e,00,64,00,6c,00,6c,00,00,00
"InvokeUsernameDialog"=dword:00000001
"InvokePasswordDialog"=dword:00000001
"RolesSupported"=dword:0000000a
Disclaimer: Enabling EAP-MD5 is not recommended in a production environment due to security weaknesses.
===============
Viele Grüße
Achim
