Multiple attempts needed to login to NAD devices via TACACS when CPPM used as TACACS auth server. TACACS requests are load balanced by an external load balancer like F5.
On taking a pcap, we noticed the TACACS authentication request being forwarded to one Clearpass node and TACACS authorization node being sent to another Clearpass node in the cluster.
NOTE: To view the TACACS decrypted reply, we need to apply the TACACS shared secret key in the wireshark.
In the below pcap sequence, the NAD IP is 10.226.72.222 and the Clearpass node IP is 10.208.50.37, the authentication request is forwarded to node: 10.208.50.37 as shown in the above and below pcap sequence
Clearpass requests for the password
NAD device sends the password
Clearpass authenticates the NAD device.
After the authentication succeeds, the authorization request is sent. In the below example, the NAD device is a Cisco WLC
Authorization request sent to a different Clearpass node:10.208.50.38
As node:10.208.50.38 did not authenticate the NAD device, the authorization request was not succeeded on this node and returned with unknown status
On further analyzing, we found that the TACACS authorization request was sent to different node due to a F5 load balancer in place between the NAD devices and Clearpass cluster and the F5 load balancers were load balancing the TACACS requests from NAD devices.
In Clearpass, as the TACACS authentication is not cached across nodes in cluster, we need to ensure that the TACACS auth request and TACACS authorization request goes to the same Clearpass node.
As F5 was load balancing the requests, we can ensure the TACACS auth and TACACS authorization request hits the same node by enabling session persistence on F5 load balancer.
Enabling session persistence on F5 load balancer ensures that the TACACS auth and TACACS authorization for a particular NAD session hits the same Clearpass node and the TACACS authorization would succeeed as shown in below pcap