MX platform. I've found that if the route to the TACACS server is via a VRF, TACACS authentication does not work. There is no routing-instance option under the [system tacplus-server] config. There is no TACACS config available under the VRF instance either. I can ping the TACACS server only when sourced from the routing-instance. So IP reachability to the TACACS server is not the issue. I have a JTAC case open but it's slow moving.
I found this post from 2011, so I'm curious if this is accurate and if there is a work around I can implement.
Leaking global routes into the routing instance is only possible if the global table has the routes for the destinations. Another solution is to reverse the interfaces into a routing instance. The customer/internet traffic is kept separated from management and all functions work... tacacs, ntp, snmp, etc.
Existing TACACS+ behavior is made VRF aware (MX Series)—Starting in Junos OS Release 18.2R1, the routing-instance statement at the [edit system tacplus-server server-address] hierarchy level and [edit system accounting destination tacplus server server-address] hierarchy level can now be used to configure any routing instance present at the [edit routing-instances] hierarchy level.