I have been using the ACS server as a tacacs host on the switch. The ACS server is allowing me to add an Active Directory group to an ACS group, and when you login you get privilege level 15 but with a restricted command set. You can see who entered what command where in the ACS logs... It is working!
Unfortunately when I change the authentication type to RSASecureID, only the First A - Authentication works. I can't get it to authorize the privilege level 15 or other commands. The only thing I can do is set it back to local enable password, and it would seem I also lose the accounting..... In the logs the return request for Authorisation is not accepted by the ACS/RSA.
So the ACS actually acts as a Tacacs interim, and passes the requests to the Radius for Auth only, so the ACS does the AAA part, with Authentication element being passed on to the RSA. The issue is that when you do this on windows it uses the same user/password for login and enable, but when you use a token/keyfob the username/password changes and you don't get the chance to enter again.