I have a new install of ACS 5.2 added to our 2003 AD.  I am using PEAP for wireless auth, and have ACS set to verify the user is a member of the wireless users security group in AD.  If the user has never been a member of this group, wireless auth fails as it should.  However, if I add a user to the sec group and ACS finds them and authenticates the wireless, it will always authenticate that user even after being removed from the group.   I see that bug CSCtd16392 addresses a similar issue with 5.1, but I cannont find any mention of 5.2.  Also, the bug shows the AD credentials are only cached for 30 min.  I can live with 30 min, but I removed myself from the wireless group Friday afternoon, and I am still able to authenticate wireless on Monday.  I verified that I do not have any other devices authenticating with my username, keeping the cache fresh.