I have been testing ISE with Azure ROPC for EAP-TTLS and AnyConnect VPN authentication. Both of these work ok. As both of these use-cases support PAP, I'm assuming that it is also supported to use Azure ROPC for RADIUS and TACACS device administration?
I have been doing some testing and RADIUS admin works ok as we can use Azure ROPC for user authentication and then use the Azure AD identity source within an authorisation policy to map Azure AD group to the required authorisation profile (such as Priv15 for switches)
With TACACS, authentication works ok, however there doesn't seem to be an option to select the Azure AD Identity source as a condition within the TACACS authorisation policy so we cant use Azure AD groups for allocating granular command sets/shell profiles.
That is not a documented use case for ROPC, but both use cases would use simple password-based authentication. The endpoint auth use case would use EAP-TTLS(PAP) and the device admin use case would use simple PAP.
I did a basic test using a CSR1000v configured for RADIUS and authentication using AzureAD via ROPC did work. My authorization policy used a group membership check against AzureAD and the condition matched as expected.