hi, XP caches successful connections - Vista does too IIRC so I'm not sure why you are seeing different behaviour.. anyhow..you can clear the credentials by blatting a registry on eg logout or login. the RADIUS server wont see the difference between std login and cached login as the client sends the same stuff.
regarding theft. you are using EAP-TLS with client certs? in that case, you can simply revoke that client cert. the joys of using PKI alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html