Have a look at my setup.
I've also changed the LDAP search so that it will match either a SAM or the uPN
(|(&(sAMAccountName=%{Authentication:Username})(objectClass=user))(&(userPrincipalName=%{Authentication:Username})(objectClass=user)))
Also note the Microsoft time is different to Linux. It is based on a 64 bit number starting in 00:00:00 January 1st 1601 (although Pope Gregory XIII actually signed the creation of the new calendar (Gregorian) on October 1582 - go figure!) in 100ms steps.
To compare to the ClearPass (Linux) you will need to use [Time Source]:Now MS time - hence you can do logical comparisons .
Hopefully the other screenshots will help.