IAP supports TACACS administrative access in the most recent version. (I'm not sure about other versions). Configure the TACACS server under "Security". Make sure the IAP is enabled on the TACACS server side and a shared key is on both. One thing to note is that the TACACS requests come from the AP not the VC address, be sure to verify your logic (especially if using ClearPass).