Just thought I would chime in. In my past job we used Secure ACS servers to authenticate all VPN traffic, Equipment access authentication for Network Admins as well as HTTP and FTP authentication for clients at more than 200 edge sites.
As we deployed this we felt that this should be in the most secure segment of our network. Therefore we deployed it to our dedicated management VLAN. We deployed all high level network management tools to this VLAN including Openview and other critical control resources.
We secured this area through extended ACLs allowing only devices that needed to talk to the ACS or other components for that matter by specific ports and addresses. This segment also featured dedicated IDS to monitor it as well as ACLs dictating 16 total ip addresses that could be used to manage equipment in this segment.
While you may not require that level of protection I would avoid placing ACS in your DMZ. By their nature DMZs are less secure than you inside network. The only time I could see deploying and ACS or another direct authentication sources such as AD would be if external users are the only users that would be accessing this resources. Even then though you need to consider the ramifications of you authentication resource being compromised. Good luck with your ACS deployment.
