Hi
Is the configuration working without the object-group option?
The experience I had with dACL on cisco is that if the ACL is misconfigured on clearpass it will not be applied to the port.
During the tests I used a default acl applied to all access ports and created dACLs on clearpass based on the access permission given to user's session.
!
ip access-list extended default_acl
permit ip any any
!
interface range f0/1-24
switchport mode access
ip access-group default_acl in
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x timeout tx-period 10
dot1x max-req 3
dot1x max-reauth-req 10
Please see attached file as an example of the ACL created on Clearpass.