At long last I came back with the solution we arrived at, here is what I told Aruba TAC after Microsoft verified the known issue:
Symptoms:
2012 R2 Network Policy Server
802.1x failures not logged in event viewer even though they are set to do so
NPS not sending radius-reject packets, causing aruba blacklisting to fail and clients to lock out their AD accounts
Solution:
I wanted to update on what the solution was after discussion with Microsoft support since I imagine it might help with troubleshooting other customers in the future, here was their comment on the issue verbatim (it appears to be a feature limitation of NPS server):
"From your description, we are using PEAP-EAP-MS-CHAPV2 authentication method, wireless client, wireless control(radius client). I have verified this issue, for this specific scenario, it should be a known issue for this authentication method, and we have found the correct workaround” set "number of authentication retries" to 0”."
The setting discussed is within the configuration tree on network policy server as follows:
"Policies">"Network Polices">"Right Click Policy In Use">"Properties">"Constraints">"Authentication Methods">"Select "Microsoft: Protected EAP (PEAP)">"Click Edit">"Click Edit Again"
And then change "Number of Authentication Retries to 0"
Do the same for the other EAP types:
"Policies">"Network Polices">"Right Click Policy In Use">"Properties">"Constraints">"Authentication Methods">"Select "Microsoft: Secured password (EAP-MSCHAP v2)">"Click Edit"
And then change "Number of Authentication Retries to 0"
With both of these set to 0, NPS will log failed events and will transmit the radius-reject as it should, causing the Aruba blacklisting feature to properly blacklist on 3 failures.
Hope this helps someone down the line and thanks for your help.