Core issue
This issue is due to presence of Cisco bug ID CSCeg20752.
In this issue, ACS passes authentication for EAP-TLS users, even though their certificate is revoked. Normal authentication of users works fine, but the Certificate Revocation List (CRL) is not downloaded or parsed.
This issue is typically observed in multi-tiered CA environment where the certificates are issued and revoked on intermediate CAs that are subordinate to the root CA. In this setup, it is not possible to add the intermediate CA into the Certificate Trust List. This makes it not trust CRLs created by the intermediate CA.
Resolution
Workaround for this issue is to design CA infrastructure as standalone CA or do nor use CRLs.
In order to resolve this issue, upgrade Cisco Secure ACS to software version 3.3(3.11) or later. In order to download the suggested software version, visit Cisco Downloads.
Features & Tasks
Certificate Revocation List (CRL)
Protocol / Ports
EAP-TLS