Hi,
What is the ClearPass Version?
External TACACS server can only be used for GUI and not for CLI/SSH till ClearPass 6.7.x.
The ClearPass server follows the order,
- Local Admin Repository
- and then try the external/remote TACACS Server
- and then generates a TACACS request locally.
If you see the login request hitting the default service "[Policy Manager Admin Network Login Service] " in the local server, then the ClearPass is not able to reach the external server or the external server rejected/dropped the request.
You can run packet capture from the ClearPass server to confirm whether the TACACS auth request to the external server is being sent or not.
Navigation to Run Packet capture - Administration >> Server Manager >> Server Configuration >> Collect Logs >> Check the box "Capture network packets Duration of dump" (ensure all ther other boxes are not checked).