This problem occurs due to the presence of Cisco bug ID CSCeg51873.
The CiscoSecure ACS for Windows chooses a TACACS+ Network Device Group (NDG) to apply Network Access Restrictions (NARs), instead of a RADIUS NAR.
This problem occurs when these two conditions are met:
Both a TACACS+ and RADIUS Network Access Server (NAS) are defined with the same IP address and placed in separate NDGs.
Authentication is performed through RADIUS.
The NDG that contains the TACACS+ NAS is always used. ACS chooses the wrong NDG for NAR matching. As a result, access is blocked for all users, and the ACS Failed Authentication log displays the User access filtered error message.
As a workaround, stop all seven CiscoSecure ACS services in Windows and restart them.
Open a service request with the Cisco Technical Assistance Center (TAC) for further assistance.