Have been working on a reported issue in this ClearPass (6.11 publisher / subscriber - L3) environment where the AD authentication source doesnt fail over correctly when the primary AD server is down for TACACS requests. This is a well connected environment with 10ms max between the sites.
Narrowed it down to the TACACS timeout on the switch (procurve / AOS-s) and the Server Timeout in the ClearPass authentication source.
With for example 2 seconds timeout on the ClearPass AD authentication source and 6 seconds on the switch TACACS timeout it works fine. The switch waits long enough for ClearPass to attempt to reach the backup 1 server. Which it seems to attempt twice?
Are these "normal" values? Or can you handle it with lower / higher in your environment?