I've recently inherited an ACS 5.5 server that was upgraded from 4.1 a few weeks ago before I joined the company.
While digging through the config I noticed a lot of local users in a VPN group and while testing my credentials I found that I was able to use my VPN credentials to SSH in to my switches.
It appears that little work was done one the migration was complete. I believe that the issue resolves around the default policy being set to permit any user. Currently there are rules to all our admin group to access our APC devices and a 2nd rule for the admin group to access the switches, but because of the default permit any any VPN user can also access any of the network devices.
It's been a few years since I setup a "new" 5.x ACS server and in the past I was using AD mappings to restrict the VPN users to only the VPN, and I'm feeling a bit rusty on how to correct this.