Hi Simon,
I cannot speak to Downloadable ACL's with the AS5300 product, as I have never done it, however, I have successfully implemented Dynamic inbound acl's on a per user and per group based for dial access with TACACS+ on ACS 3.1 with an AS5300. With this option, you enable "PPP IP" and "Custom attributes" within the TACACS+ Settings section of the group or user, then define the access list you wish to implement. Syntax is important, and below is an example of the format allowing a source subnet to a host for port ssh (Note: this is dynamic acl syntax, not downloadable acl syntax):
inacl#1=permit ip x.x.x.x 0.0.0.255 host y.y.y.y eq 22
In addition, one other pre-requisite with this option is that the ACS local database must be used (you cannot use LDAP or integrate with AD).
Now, if this does not help and you must use Downloadable ACL's, please see the following URLs/PDFs that may be helpful:
http://www.cisco.com/application/pdf/en/us/guest/products/ps6439/c2001/ccmigration_09186a008053d5e4.pdf
Warning on Vulnerability with ACS 3.0-3.3.3:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_field_notice09186a00805bf1c4.shtml
Hope this helps, if so please rate.
Thanks,
-Scott