the good news is that i can get it working with the "Override OCSP URL from Client" option, it appears that you have to enable to NONCE extension on the microsoft 2008 CA for that, see screenshot ms-ca-online-reponder-config-signing-nonce.png. might be a good idea to make this configurable on ClearPass, or at least mention it is used.
i got the hint for this via a blog [1] were someone is checking OCSP via openssl and mentioned the no_nonce flag.
the bad news is that using the OCSP url from the certificate doesnt work, the other settings are identical, so require OCSP check but no overwrite OCSP URL. so my conclusion is that clearpass cant read the OCSP URL from the certificate correctly. the same blog [1] as above does mention something about this, assuming that ClearPass uses the openssl libraries.
below is part of the access tracker output, i attached the full version also and a screenshot from the certificate proving the OCSP URL info is in there (ms-ca-certificate-aruba.png):
2012-12-27 15:25:38,168 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] INFO RadiusServer.Radius - chain-depth=1,
2012-12-27 15:25:38,168 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] INFO RadiusServer.Radius - error=0
2012-12-27 15:25:38,168 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] INFO RadiusServer.Radius - --> User-Name = aruba
2012-12-27 15:25:38,168 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] INFO RadiusServer.Radius - --> subject = /DC=loc/DC=hnk/CN=hnk-TDC-hnk-01-CA
2012-12-27 15:25:38,168 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] INFO RadiusServer.Radius - --> issuer = /DC=loc/DC=hnk/CN=hnk-TDC-hnk-01-CA
2012-12-27 15:25:38,168 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] INFO RadiusServer.Radius - --> verify return:1
2012-12-27 15:25:38,169 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: Adding certificate attribute Version value 3
2012-12-27 15:25:38,169 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: Adding certificate attribute Serial-Number value 19:28:58:07:00:00:00:00:00:10
2012-12-27 15:25:38,169 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: Adding certificate attribute Subject-DN value CN=aruba networks,CN=Users,DC=hnk,DC=loc
2012-12-27 15:25:38,169 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: Adding certificate attribute Subject-DC value loc
2012-12-27 15:25:38,169 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: Adding certificate attribute Subject-DC value hnk
2012-12-27 15:25:38,169 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: Adding certificate attribute Subject-CN value Users
2012-12-27 15:25:38,169 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: Adding certificate attribute Subject-CN value aruba networks
2012-12-27 15:25:38,169 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: Adding certificate attribute Issuer-DN value CN=hnk-TDC-hnk-01-CA,DC=hnk,DC=loc
2012-12-27 15:25:38,169 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: Adding certificate attribute Issuer-DC value loc
2012-12-27 15:25:38,169 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: Adding certificate attribute Issuer-DC value hnk
2012-12-27 15:25:38,169 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: Adding certificate attribute Issuer-CN value hnk-TDC-hnk-01-CA
2012-12-27 15:25:38,169 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: Adding certificate attribute Subject-AltName-msUPN value aruba@hnk.loc
2012-12-27 15:25:38,169 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - --> Starting OCSP Request
2012-12-27 15:25:38,169 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - Parsing the OCSP URLs in the certificate
2012-12-27 15:25:38,169 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] ERROR RadiusServer.Radius - Certificate does not contain OCSP URL. OCSP check required.
2012-12-27 15:25:38,169 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] ERROR RadiusServer.Radius - ocsp] --> Certificate has expired/been revoked!
2012-12-27 15:25:38,169 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] ERROR RadiusServer.Radius - OCSP checks have failed
2012-12-27 15:25:38,169 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] INFO RadiusServer.Radius - chain-depth=0,
2012-12-27 15:25:38,169 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] INFO RadiusServer.Radius - error=0
2012-12-27 15:25:38,169 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] INFO RadiusServer.Radius - --> User-Name = aruba
2012-12-27 15:25:38,169 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] INFO RadiusServer.Radius - --> subject = /DC=loc/DC=hnk/CN=Users/CN=aruba networks
2012-12-27 15:25:38,169 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] INFO RadiusServer.Radius - --> issuer = /DC=loc/DC=hnk/CN=hnk-TDC-hnk-01-CA
2012-12-27 15:25:38,169 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] INFO RadiusServer.Radius - --> verify return:0
2012-12-27 15:25:38,169 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: >>> TLS 1.0 Alert length 0002], fatal certificate_unknown
2012-12-27 15:25:38,169 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] ERROR RadiusServer.Radius - TLS Alert write:fatal:certificate unknown
2012-12-27 15:25:38,169 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read client certificate B
2012-12-27 15:25:38,169 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] ERROR RadiusServer.Radius - rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
2012-12-27 15:25:38,169 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: tls_handshake_recv failed
2012-12-27 15:25:38,169 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - eaptls_process returned 4
2012-12-27 15:25:38,169 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap: Handler failed in EAP/tls
2012-12-27 15:25:38,169 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: SSL ex data at index 0 - (nil)
2012-12-27 15:25:38,169 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap: Failed in EAP select
2012-12-27 15:25:38,170 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - modcallauthenticate]: module "svc_3011_eap" returns invalid for request 223
2012-12-27 15:25:38,170 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - modcall: leaving group svc_3011_eap (returns invalid) for request 223
2012-12-27 15:25:38,170 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - auth: Failed to validate the user.
2012-12-27 15:25:38,170 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - Found Post-Auth-Type
2012-12-27 15:25:38,170 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - Processing the post-auth section of radiusd.conf
2012-12-27 15:25:38,170 [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - modcall: entering group REJECT for request 223
any clue someone or should i open a TAC case for this one?
using cppm version 5.2.0.43003 btw, but i dont believe that the version will matter much, perhaps the openssl version used, is that visible somewhere?
[1] http://www.carbonwind.net/blog/post/Quickly-probing-with-OpenSSL-for-the-status-of-a-certificate-using-OCSP.aspx