Seems to be resolved. I upgraded the AP IOS to the lastest 12.38JA1, then it works. Although each time I can see one fail record in ACS log, but anyway the authentication can be completed after the first failed try.
BTY, I saw these words in cisco.com:
--------
PEAP Authentication with Windows XP SP2 Fails with RADIUS Server
This issue occurs in Windows XP Service Pack 2 when you use a non-Microsoft RADIUS Server like the Cisco RADIUS server for authentiation. Sometimes the initial connection can authenticate successfully, but subsequent fast-connect authentication attempts might not connect successfully. Microsoft has confirmed that this is a problem in the Microsoft products.
This issue occurs if your Cisco RADIUS server uses a different method to calculate the Extensible Authentication Protocol (EAP) Type:Length:Value format (EAP-TLV) ID than the method that Windows XP uses.
In order to resolve this problem immediately, contact Microsoft Product Support Services to obtain the hotfix. You can find more information about this hotfix at Microsoft hotfix for WPA leavingcisco.com.
-------
Interesting, ah?
Ed