I used the configuration from an example from the Cisco website. I will post it here. I also followed the setup outlined in the example for the ACS but it doesn't seem to get that far. Thanks for the help.

!--- Enable AAA for user authentication and group authorization.

aaa new-model

!

!--- In order to enable extended authentication (Xauth) for user authentication,

!--- enable the aaa authentication commands.

!--- "Group radius" specifies RADIUS user authentication.

aaa authentication login userauthen group radius

!--- In order to enable group authorization,

!--- enable the aaa authorization commands.

aaa authorization network groupauthor group radius

!

!

ip subnet-zero

ip audit po max-events 100

!

!--- Create an Internet Security Association and

!--- Key Management Protocol (ISAKMP) policy for Phase 1 negotiations.

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

!

!--- Create the Phase 2 policy for actual data encryption.

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

!--- Create a dynamic map and

!--- apply the transform set that was created.

crypto dynamic-map dynmap 10

set transform-set myset

!

!--- Create the actual crypto map,

!--- and apply the AAA lists that were created earlier.

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

!

fax interface-type fax-mail

mta receive maximum-recipients 0

!

!

!

!--- Apply the crypto map on the outside interface.

interface Ethernet0/0

ip address 10.1.1.1 255.255.255.0

half-duplex

crypto map clientmap

!

interface Serial0/0

no ip address

shutdown

!

interface Ethernet0/1

ip address 172.18.124.159 255.255.255.0

no keepalive

half-duplex

!

!--- Create a pool of addresses to be assigned

to the VPN Clients.

ip local pool ippool 10.16.20.1 10.16.20.200

ip classless

ip route 0.0.0.0 0.0.0.0 10.1.1.2

ip http server

ip pim bidir-enable

!

!--- Specify the IP address of the RADIUS server,

!--- along with the RADIUS shared secret key.

radius-server host 172.18.124.96 auth-port 1645 acct-port 1646 key cisco123

radius-server retransmit 3

call rsvp-sync

Perhaps you should establish a working configuration with local authentication and authorization, and then migrate to RADIUS.

If you agree, you might try this first:

aaa new-model

aaa authentication login userauthen local

aaa authorization network groupauthor local

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration address-pool local ippool

crypto isakmp client configuration group psk-grp

key cisco123

pool ippool

acl 101

crypto isakmp profile psk-prof

match identity group psk-grp

client authentication list userauthen

isakmp authorization list groupauthor

client configuration address respond

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto dynamic-map dynmap 10

set transform-set myset

set isakmp-profile psk-prof

reverse-route

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

interface Ethernet0/0

crypto map clientmap

ip local pool ippool 10.16.20.1 10.16.20.200

access-list 101 remark --- Split tunneling for VPN client.

access-list 101 permit ip 172.18.124.0 0.0.0.255 10.16.20.0 0.0.0.255

Thanks for the reply. I did have it working with AAA local and wanted to move on to the ACS. Do you think I should continue on with RADIUS or go over to TACACS+?