Laurent,
Not sure if this will answer your question.
Having [pure] LDAP is nice if you want to perform authentication and your user base is already populated in AD.
There are no middle steps, just query and reply.
The "problem" with LDAP especially based on AD is that all the information about user that is not primary (username and password I would consider primary) is stored in a way that does not allow easy facility to apply/map to networking.
On ASA to overcome this we have LDAP attribute mapping where we map attributes from LDAP to common RADIUS ones.
When using AD from ACS I beleive (note that I'm not an expert on ACS) you can perfrm similar mapping and response you get is a pure RADIUS one - i.e. easily understood by most networking equipment.
RADIUS give you more flexibility in terms of Authentication Authorization and Accounting for networking equpment.
For example (AFAIR) LDAP/AD will not do accounting nor can be used to perform NAC functions.
But for example both LDAP (Over SSL) and RADIUS (via mschap v2) can perform password expiry functions.
Marcin
