We are using a SSL VPN with users authenticating against AD with LDAPS. I have enabled the "Require client certificate" option in the VPN SSL Settings. I have installed the root certificate from our internal CA on the Fortigate and have installed "Workstation Authentication" certificates from our internal CA on all of our client machines and checked the box to "Allow Non-Administrators to Use Machine Certificates" in the EMS deployed SSL VPN Client Profile. This is all working perfectly and clients are able to connect successfully. The issue I am having is that if I revoke one of the machine certificates from our internal CA, the machine can still connect successfully. I would have expected a machine without a valid certificate from our CA to be denied.
I have configured the CRL on the Fortigate to auto check the internal CA's CRL. If I check the CRL on the Fortigate under System -> Certificates -> CRL, it shows that it is connected successfully and I can actually see the revoked certificate in the CRL list there, so it appears to be accurate and functioning correctly.
I'm using FortiOS 7.06, FortiEMS 7.06, and FortiClient 7.06. I checked known issues for each of those releases and can't find any bugs related to this. What am I doing wrong?