Re: EAP-FAST w/ ACS v 3.2 has password expiry problems
First, I'd suggest updating your IOS; 12.2(13) had a fair number of bugs.
It sounds like the client is going into sleep / power save mode and losing the connection to the Cirtix server. The server might be configured to only allow one session per client ... and the one that's allocated is disconnected (but still active).
Try killing the power-save mode on all of the client-side components and software.
Check the Citrix server to see if it has a session restriction ... if so, open it up (for diagnostic purposes).
Try setting the password expriration to some short value and see if having the password exire in ~5 minutes still locks the system (trying to rule out one system or the other as the problem source).
Also try staying active on the client through the time period where the password would expire to see if it's a sleep mode / power-save disconnect that's causing the problem.