I figured as much that I would have to end up using our Clearpass as a tacacs solution using tfa to OKTA if I want to receive the shell response back.  I was trying to eliminate complexity and figured OKTA has this Radius App and the solution should ...

There is a reference in the Client IP for Vendor Specific but the only response is in the groups.  If you know of a way to reference Cisco-AV-Pair = shell:priv-lvl=7 that would be awesome.  I can get it to send group names back but not sure how I wou...

I am in process of getting this to work.  I got it to work using the authentication piece.  We use the Radius Agent and then use the Radius application in the cloud.  It doesnt pass authorization though.  SO if you you want the tfa with the username ...