Alan,
I cannot speak to the RADIUS portion of the implementation, but I've just overcome all the hurdles
of implementing AAA/TACACS to Cisco Switches/Routers during a pilot to replace ACS.
We're using Active Directory as the Authentication/Authorization source with multiple AD Admin-Groups
and multiple Device Groups spread over about ten distinct business units covering ~160 sites in the U.S.
and Canada.
I would be happy to share some of my hard won knowledge.
Vince