This seems like it should be a no brainer for ISE to handle, but I can't seem to get an answer from Cisco yet.
I have added my ASA firewall as a network object in ISE and I have selected the TACACS and RADIUS options within that network object. My firewall configuration is as follows:
aaa-server TACACS protocol tacacs+
aaa-server TACACS (inside) host 10.12.12.61
aaa-server RADIUS protocol radius
interim-accounting-update periodic 1
aaa-server RADIUS (inside) host 10.12.12.61
Because both TACACS and RADIUS are both pointing to ISE and TACACS comes first in the configuration, my VPN users are getting a "Dynamic Authorization Failed" message. If I remove TACACS configuration or point it to our old ACS server than everything works fine.
I am also unable to move the TACACS configuration below the Radius.