This is kind of a two part question. One of which is probably more appropriate for a CX community but Clearpass is the central element so here we are. I am trying to get command authorization working on AOS CX with Clearpass. On the clearpass side, I have logs of the command matching but what it allows or denies never seems to align with what I have configured. About the time I get one command working something else stops working. The command "power-over-ethernet" is one example. As a command with no arguments I can't get it to authorize it. If I add a .* as an argument, it will work, but so does every other argument. I can see the commands sent to clearpass in the clearpass logs and it hits the service, policy, profile it is supposed to, it is just rubbish at matching the commands defined in the profile and returning the correct response.
The second part of this is, has anyone done this with CX? I tried debugging tacacs and aaa on CX and absolutely nothing hit the debug buffer even though it was clearly sending tacacs messages to clearpass because clearpass saw them. It makes it really hard to troubleshoot when debug doesn't seem to work. The switch in question is a 6300M running 10.10. This isn't the first time I've come across useless debug commands. I feel like I am missing an obvious step or something.