NPS: CHAP authentication occurring even though it isn't allowed on a policy

I have a Microsoft NPS policy that is designed to allow a single user account the ability to perform 802.1X authentication to a wireless SSID. This policy is configured to allow only clients that authenticate using the "Microsoft: Protected EAP (PEAP)" method. No other method (e.g. PAP, CHAP, MS-CHAP-v2) is allowed/enabled on the policy.

Authentication is occurring for this user, and the NPS logs show that the policy being matched is the one described above; however, in the Windows Event Viewer Security log, I'm seeing when this authentication happens, the "Logon Process" showing in event ID 4624 is "CHAP":

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>4624</EventID> <Version>1</Version> <Level>0</Level> <Task>12544</Task> <Opcode>0</Opcode> <Keywords>0x8020000000000000</Keywords> <TimeCreated SystemTime="2018-09-16T09:28:25.600375100Z" /> <EventRecordID>9104061</EventRecordID> <Correlation /> <Execution ProcessID="472" ThreadID="1728" /> <Channel>Security</Channel> <Computer>REDACTED</Computer> <Security /> </System>
- <EventData><Data Name="SubjectUserSid">S-1-5-18</Data> <Data Name="SubjectUserName">REDACTED$</Data> <Data Name="SubjectDomainName">REDACTED</Data> <Data Name="SubjectLogonId">0x3e7</Data> <Data Name="TargetUserSid">REDACTED</Data> <Data Name="TargetUserName">REDACTED</Data> <Data Name="TargetDomainName">REDACTED</Data> <Data Name="TargetLogonId">0x1ae1538</Data> <Data Name="LogonType">3</Data> <Data Name="LogonProcessName">CHAP</Data> <Data Name="AuthenticationPackageName">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data> <Data Name="WorkstationName">-</Data> <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data> <Data Name="TransmittedServices">-</Data> <Data Name="LmPackageName">-</Data> <Data Name="KeyLength">0</Data> <Data Name="ProcessId">0x104</Data> <Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data> <Data Name="IpAddress">-</Data> <Data Name="IpPort">-</Data> <Data Name="ImpersonationLevel">%%1833</Data> </EventData></Event>

How this possibly using CHAP (successfully) given the configuration of the associated NPS policy which doesn't allow CHAP?

For what it's worth, we have other NPS policies configured. Our VPN policy allows only MS-CHAP-v2 and successful authentications for this policy show "IAS" for the Logon Process. Another policy for a different wireless network allows both PEAP and CHAP shows the Logon Process is "Schannel" (which I assume means PEAP is being used).

I'm trying to chase down anything that uses CHAP so we can disable the "Store password using reversible encryption" setting domain-wide.