In this video, we show how Certificates for Onboarded devices can be revoked (disabled). By default, revoked certificates still give access, so we need to configure OCSP (Online Certificate Status Protocol). With that enabled, clients that try to authenticate with a revoked certificate are rejected access.
The override OCSP URL is disabled in this example, which requires a valid OCSP URL to be present in the client certificate. For Onboard we configured that in episode Onboard #1; for the Microsoft AD it is more complicated. That is why we select the OCSP optional in the EAP-TLS method. That honors the OCSP response if there is one, and ignores OCSP if there is no OCSP response (for example because there is no OCSP URL in the client certificate which is issued by Active Directory Certificate Services)
This video is part of the Aruba ClearPass Workshop series.