There appears to be a lot of confusion about the use of TACACS and RADIUS and software defined segmentation using SGTs.

ISE supports both TACACS and RADIUS protocols. TACACS and RADIUS are both authentication and authorization security protocols however they serve totally different purposes and have different authorization policy structures. Both TACACS and RADIUS can rely on an External Identity Store for the authentication and attribution of users and devices. Microsoft Active Directory (AD) is used for this 95+% of the time. 

Terminal Access Controller Access Control System (TACACS) is for Command Line Interface (CLI) authorization on a network device. TACACS is used to control Who can do What commands on the CLI. TACACS has nothing to do with the network access authorization and enforcement (using VLANs, ACLs, software-defined segmentation via SGT, etc.) of a user or endpoint onto the network

Remote Authentication Dial In User Service (RADIUS) is used for user and/or endpoint authentication & authorization through a network access device (NAD) such as a switch or wireless controller or VPN. A RADIUS authorization of a network session may authorize users or endpoints with a Scalable Group Tag (SGT) classification along with a VLAN, ACL, or other enforcement attributes. Here is an example policy in ISE for assigning a user authenticated with 802.1X to the AD user group "Domain Users" to an SGT named "Employees":

Once that employee is authorized via RADIUS, they may attempt to Telnet (or SSH) to a network device. The ability to use Telnet or SSH from the Employees group to a NetworkDevices group might be blocked entirely by an SGACL so they could not even connect. If it was allowed, they would then be authenticated and authorized for CLI on the network device using the ISE policies for TACACS authentication and authorization which may also use AD groups.

I am not aware of a way to use a RADIUS-assigned SGT in ISE (with or without AD involvement) to make a TACACS authorization policy decision.