Setting up a port authentication solution based on 802.1x with a MS PKI 08 with both OCSP and CRL for support of both W7 and XP. Was wondering how a connecting clients check revocation status if the OCSP and CRLs only are available from the inside. They have to verify the radius client's (AP) certificate. Anyone knows?

this depends on client settings. If revocation check is forced authentication will fail. If not forced authentication may be successful even if revocation is offline.http://en-us.sysadmins.lv