Problem trying to force password change through PEAP

Hi,
I recently setup a wireless network for a client, but left with one issue that I cannot seem to resolve.
Hardware is a Cisco 2100 WCS controller with several compatible Cisco AP's.
Hardware configured for PEAP / WPA / WPA2 / TKIP / AES combinations.
They authenticate through Windows IAS and authenticate against Active Directory (2003).
IAS is configured to authenticate only wireless clients, and only specifiy AD groups.
Clients are configured using PEAP / MSChapv2. Not configured to validate server certificates. All use Windows wireless Zero configuration utility.
The problem is that the client gives their users a standard password which they are expected to change at first login. In other words, the user's account in AD is set to force a password change the first time they log into the wireless network.
Now I know this works, because it works in my lab without issue....as long as you configure PEAP to allow the client to change their password.
But in production, it only works sometimes. The problem occurs accross different laptop brands....in other words, I can't pin it down to either an IBM or Dell, or any specific kind of client wireless hardware.
When it does't work, users are prompted 3 times for their change their password, but it doesn't work and then their authentication attempt start sover from the beginning.
Note that when this policy is not enbaled (force passwor change), then all notebooks authenticate without issue....it's only when we try to force a password change through the client's AD account.
I tried applying several microsoft patches (to help with 3rd party radius timing issues) to the clients, but so far no luck.
Any advice would be appreciated.

Just to update my own question, after much testing, it looks like certain wireless cards / drivers have incompatibility issues with the Cisco wireless hardware we are currently using. I was able to find a couple combination of wirless pc cards an laptops brands that can change their password over PEAP / wireless connection, so it doesn't look like a windows or radius congifuration issue.

Hi Max,

Yes as you said it looks like the issue with the client drivers. Also when the user has been prompted with change in password for 3 times as you said, check for relevant logs from windows event viewer and see if we can intrepret the logs. Adding to your setup, i have been trying to setup EAP-TLS and TTLS for clients location. Though i dont use cisco, but my infrastructure is same as urs. Controller and thin APs deployed across the site. When i use TLS, i need to know whether we need to transfer the cert to the client and select Smartcard/cert for authentication or is there anyother steps which i'm missing? I have deployed PEAP. But need to know how to deploy certs in TLS and TTLS. One thing i know in theory is for TTLS, we need server and client side certs. What does this mean? How do we go about deploying? If you have any docs or links to configure, Please send it across. Will be more helpful.
Thanks.