ISE has the ability to check certificate revocation status of certificates presented to it (e.g. a client's cert in a EAP-TLS setup).
I am keen to know what you all use in your real-world deployments?
CRL or OCSP or none
The CRL option is a no brainer but it reacts very slowly and it seems like a last resort method that eventually catches up. Not to mention that CRL files can grow large.
OCSP seems technically better but fraught with issues (latency incurred in the checking, failure scenarios of OCSP server, stapling/must-staple, httpd support, etc)
Or no revocation checks - issue short-lived certs, and just wait for the expiry to kick in - rather block the user's AD/LDAP account and don't bother with the cert revocation