Currently I use ACS4.1 to authenticate network admin access to routers and switches. Users credentials are authenticated against an Microsoft AD domain but group membership is handled via ACS due to us not wanting to deal with the corporate AD bureau...