leap via the built in radius server.

Sounds like your RADIUS server isn't matching on the right attributes. Look in your RADIUS server detail log to understand why it is denying the login.

Not knowing how you set this up, have you looked at this doc: http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c0912.shtml

Using the internal RADIUS server, it works fine with the Intel ProSet software. When I use the XP utility, it just keeps prompting and the "Unknown Usernames" and "Invalid Packet from NAS" counters go up. I've tried with a vista laptop and get the same thing. The username success/fail counters don't incriment except for the success's with the Intel utility.

I've set fast reconnect, unchecked verify server and user computer/user info to login. It looks like Microsoft doesn't play nice with WPA2 Enterprise.

been a while since I used an autonomous AP for local EAP authentication...but I don't remember it accepting PEAP auths...M$ WZC won't do LEAP or EAP-FAST, right? Think you may have an EAP-type mismatch...

That is correct.... MS WZC doesn't support LEAP of EAP-FAST not PEAP-GTC. When you say you can use the Intel PROset, what is your configuration there.

The Intel client is set to Enterprise Security, network auth is wpa2-ent, data encryption is aes-ccmp, authent type is leap, and my username/password.

Is there any way to get windows xp/vista to natively work with wpa2 ent on a cisco ap? Or is a suplicant like Intel's required?

A suplicant is required. The only way you can have Windows XP/Vista to work with WPA2-Enterprise is to configure PEAP or use EAP-TLS. Instead of setting the auth to LEAP, you would set it to PEAP or EAP-TLS. A radius server is required and a server side cert for PEAP. If using EAP-TLS, a server and client side cert is required.

What a PITA! I was hoping Microsoft would get their "better security" right for a change :) Guess I'll setup that radius server I was hoping to avoid. Thanks for all the help guys!