1) Yes, you can do multiple remote access servers. The order will be RADIUS:TACACS:LDAP:LocalDB when remote auth is preferred. Known feature request to allow choosing the order, not enough customer interest to push it beyond the Product team.
2) Yes, LDAP-S is supported, with option to validate server certs.
3) Yes, you can choose different port.
This is all controlled from the AMP Setup -> Authentication tab.