So following this guide: http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-authenticate-IAP-admin-user-against-CPPM-over-TACACS/ta-p/192931
And get an error in event viewer whenever a TACACS packet has been received.
Authentication failure: shared secret mismatch or bad tacacs packet from device=<snip>
The shared secret has been triple checked as correct. Clearpass is happily accepting RADIUS packets from these IAPs and also has other fully functioning TACACS services, so there doesn't appear to be any configuration issue, and the problem appear to be specific to the Instant AP which is running version 6.4.0.3. This error occurs regardless of whether the service is enabled or not, so it cannot be a service config issue.
Normally I would go to packet capture at this point but I don't think clearpass has this facility.
Anyone seen this before?