When using RADIUS, the Cisco Prime roles control the access details. The CPPM Enforcement Profile is quite simple. You need to return, at a minimim, 2 attributes.
For example,
Radius:Cisco Cisco-AVPair = NCS:role0=Admin
Radius:Cisco Cisco AVPair = NCS:virtual-domain0=ROOT-DOMAIN
This is for a Prime Admin user, of course.
You can see the role information by going to:
Administration / Users / Users, Roles, & AAA / User Groups and click on the Task List link beside the desired role. The top line is the role information needed. Note that this page says
"If the size of the RADIUS attributes on your AAA server is more than 4096 bytes, Please copy ONLY role attributes,PI will retrieve the associated TASKS"
This is the key to simplify this. I believe TACACS would need to sent all the Custom Attributes.
There is a Cisco authentication document online, focussed on Cisco ACS. Contact me off-list if you want a link. I hesitate to post a competitor's link on this forum.