There are plenty of possibilities to get aaa working regardless of the servers' location. This is a server that poses a high risk when compromised. Place it as secure as you can. I would always advise installation on the inside.
For what you want to deploy this Cisco Secure ACS. As a radius server or VMPS server etc.
The placement of ACS server depends upon many different criterai.
Suppose if you want to configure dot1x protocol on your switches and authenticate though ACS. Then you might also want ACS to integrate with you Antivirus server, may be also patch managemet server. So the placement of ACS becomes more complicated.
Just thought I would chime in. In my past job we used Secure ACS servers to authenticate all VPN traffic, Equipment access authentication for Network Admins as well as HTTP and FTP authentication for clients at more than 200 edge sites.
As we deployed this we felt that this should be in the most secure segment of our network. Therefore we deployed it to our dedicated management VLAN. We deployed all high level network management tools to this VLAN including Openview and other critical control resources.
We secured this area through extended ACLs allowing only devices that needed to talk to the ACS or other components for that matter by specific ports and addresses. This segment also featured dedicated IDS to monitor it as well as ACLs dictating 16 total ip addresses that could be used to manage equipment in this segment.
While you may not require that level of protection I would avoid placing ACS in your DMZ. By their nature DMZs are less secure than you inside network. The only time I could see deploying and ACS or another direct authentication sources such as AD would be if external users are the only users that would be accessing this resources. Even then though you need to consider the ramifications of you authentication resource being compromised. Good luck with your ACS deployment.