My S4 will not authenticate CLI access using our TACACS server. It looks like all of the settings are correct; tacacs is enabled and authentication login is set to 'any'. I have mirrored this on a deployed C5 with zero issues.
The S4 is not hitting the TACACS server, via the logs, and i cannot see any TACACS traffic when i wireshark the ports.
Without a configured management interface the S4 will use a loopback interface's or the outgoing interface's IP address as source address. That is probably not the IP configured on the TACACS+ server, and not the IP you were looking for in packet captures.
TACACS+ and RADIUS servers usually ignore all requests from IP addresses not configured as clients. Ping packets are answered irrespective of the source IP. This is probably the reason for ping working. Ping will use the outgoing interface's IP address unless a specific source address/interface is specified.
I did not have an interface setup as a 'Management Address'. Once i entered the command: "set ip interface vlan.0.XX default" everything started working fine.
I'm hypothesizing that since no interface was setup as management, it was defaulting to the lowest interface IP address, which is a loopback interface...thus the reason why no TACACS+ messages were hitting my server.
I'm still stumped on why a ping would go through though. If the TACACS+ packets were defaulting to using the loopback (since nothing was defined), why wouldn't the ping use the loopback and fail?