According to the below description [this article][1]. As per my understanding, clients will be allowed to connect even when client certificate does not have CRL Url. but what would be the case when "ignorenorevocationcheck"is set on clients registry EAP 13 & 25 but not on NPS or RRAS? I am pre-assuming from the description below, if NPS cannot complete revocation check still it allows the clients to connect. please correct me if I am wrong in understanding the concept here.
***> IgnoreNoRevocationCheck
When set to 1, NPS allows EAP-TLS clients to connect even when NPS does not perform or cannot complete a revocation check of the certificate chain (excluding the root certificate) of the client. Typically, revocation checks fail because the certificate does not include CRL information.
Blockquote***
on the other hand, what could be the security risks when we set the below registry on the clients computers.
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\25 --> NoRootRevocationCheck --> 1