Alex's solution would be the best and most secure, but TACACS payload unlike RADIUS is encrypted. Therefor the information should still be reasonably protected if you placed an auth server in the DMZ. But that risk would be something you should research further and also determine is it is acceptable compared to running VPNto each site. 

Also, if you do decide to do this be sure you do not enable "default device" you don't want random items trying to auth against your ISE server. I would also highly recommend that you have a firewall rule that only allows TACACS from known NADs.

Hello, 

Yes, the FW rules would be there...just wondering how other people are tackling the combined ISE/TACACS environment....now that ISE controls both internal wifi/security/authentication AND TACACS for network..wondering how other people might be tackling the trade off...definitely do not want to open up connectivity into a system that has connectivity to other internal stuff.

most deployment model's I've seen reference the combine model/dual purpose but i have not seen any reference or best practice to tackle the "how is the best way to design for external ip devices to reach the tacacs node and keep it secure..."

Now that a vm licence is required for every VM deployed....adding nodes adds additional cost to the deployment.

Trying to keep things simple and elegant to run and managed.