The Niagara Users Guide TACACS section is a half page, and says here is where you configure the IP and preshared key, so unfortunately not helpful.
I did create a custom Deny profile with the correct dictionary, however it is ignored. I send back priv 0, or priv 1, and i still get access with admin role. I think it only look for authentication response, not authorization values.
I worked with TAC and we did figure out how to do this. Basically we needed to replicate the auth source, and in the user query add &(memberof=CN=XXX,OU=XYZ...DC=com). So basically the user lookup only succeeds if the user is part of the required group. It's not pretty, and it doesn't support nested groups, but at least not it denies the users correctly.
Thanks for the ideas everyone.
_ELiasz