I recently configured TACACS for controller www/ssh login, using ClearPass as the TACACS server. I initially had problems because the NAS IP sent didn't match the IP address entered in ClearPass. The IP in ClearPass is the source IP used for RADIUS traffic from the controller. For TACACS, the controller was sending one of the SVIs as the NAS IP. I was surprised to find that the controller didn't use the RADIUS source interface/IP that was specified. Granted, RADIUS and TACACS are different, I thought the controller might still use that IP specified but it did not. Even more surprising was that the SVI was selected rather than the controller's loopback. I thought I read that the loopback will be used as the source for all RADIUS traffic (again, I know this is TACACS) if a RADIUS source interface isn't specified so I at least expected the loopback to be used by TACACS.
Should the loopback be used for TACACS traffic?
Is there a way to specify a source interface/IP for TACACS?