I am currently configuring an ACS 4.2 to use certificate host based authentication using EAP-TLS. I have successfully configured a private CA (Certificate Authority) to issue client authentication and server authentication certificate to a host PC and to the ACS. I have imported the server authentication certificate into the ACS Certificate Setup on the web console. At this point I can use client certificate to authenticate to my domain though the ACS. The problem that I am having is when I enable certificate revocation list for my private CA the ACS says it is "In use" and it will download the CRL file(C:\Program Files\CiscoSecure ACS v4.2\CRL). I can see that the CRL file is there and that it has revoked serial numbers under the CRL files revocation list. However when the the CRL is in the "In Use" status I can no longer use my client to authenticate to my domain. If I change the status on the ACS for my private CA to "Not in use" and restart the ACS services my client will then again authenticate to my domain. I have checked the serial numbers in the CRL file for the revoked certificates to make sure that the certificate that I am using for host based authentication is listed as a revoked certificate.
The ACS seams to be not authenticating any clients with certificate host base authentication while the CRL is "In use" but authentication is just fine when the CLR is not being used. Any troubleshooting suggestions?