1. What happens to the clients/PC's when complete cluster goes down? Will there be a network outage because of this or the clients will bypass the NAC and work normally?
This is dependent on how you have your NADs setup (Network access devices, your switches, controllers, etc), most can be setup to either fallback to a local database, or a "server-fail" vlan, which you can use
2. Where showld the application licences be installed? As I read a few threads it says it showld be installed on publisher. Or should it be installed on publisher and subscriber seperately. If it is installed on Publisher, what happens to licences when the Publisher is down. Does the license get passed to the subscriber when it gets propmoted as publisher?
On the publisher. As long as you have everything setup correctly, you shouldn't run into any issues. The licenses get essentially pooled. You may run into some issues if you ever move to new VMs, but from publisher to subsriber you should be fine. TAC is able to migrate licenses as needed if you do ever run into an issue
3. Do we need to create a sparate service for MAC Auth and 802.1x auth? or we can use the 802.1x service together with MAB all in one service? I would appreciate any reference on this case.
I would recommend creating 2 seperate services, it's going to make your workflow much simpler and easier to manage. Since most NADs send different radius attributes depending on if your doing dot1x vs MAC auth, as well as each using different authentication sources, I couldn't imagine the headache of trying to manage it all in one service. That being said I've never tried it in one service, so it might very well be possible
As I'm sure others will mention, clearpass is a behomth, and very easy to mess up, I would recommend reaching out to your Aruba team for assistance. They can help guide you on best practice and share relative documentation.