This applied to a router running tinyPEAP RADIUS authentication. You need two accounts on your Windows XP box for this test: (you obviously need a tinyPEAP properly configured with at least one user account) To be on the safe side, disable Fast User Switching and the Family logon screen and reboot the computer. In the first Windows XP user account: a) download/install the tinyPEAP certificate b) configure the network including the credentials for the tinyPEAP user account c) verify wireless connectivity by browsing anything. d) LOG OFF this session: do NOT reboot or shutdown/restart Log on the second Windows XP user account: e) verify that you still have network connectivity f) verify that the tinyPEAP certificate is NOT installed g) verify that the wireless network does not have any credentials for the active connection h) open a command prompt and ping -t any host on your network other than the tinyPEAP device I let a ping running for 60 minutes, which is long enough for WPA/802.1x to cycle the keys a couple of times i) reboot the machine and log on as the second Windows XP user account j) verify that you need a certificate to access the wireless network Presumably, XP SP1 does not flush the network cache at the time an authenticated user logs off. I did not verify this with XP SP2. This also implies that, if this were fixed, there would be no network connectivity to machines on which nobody is logged on. Are there plans to support machine certificates in tinyPEAP ?