I think you need to understand why you might use TACACS for vs Radius, which is typically used these for user access.  Back in the day's radius was used for network device access until TACACS was born.  There are still networks out there that use radius for network device access, because they don't have a AAA server that supports TACACS.  Hope that somewhat clarifies your question.

Cisco devices normally use TACACS to authenticate and authorise user access to the device itself - device management.
TACACS is a Cisco proprietary protocol (so mostly only used by Cisco devices) but Cisco did release the code for it so a few other vendors have released server and client support for it in a limited way.

Radius is a standard used right across networking.  It can be used for management access (like TACACS) but on Cisco devices it is mostly used for user access authentication and management eg. WiFi users, remote access users etc.

Thanks for your reply!

Now the c9800 wlc is using Radius. If we change it to TACACS, what do we need to do? just setup TACACS and remove Radius? 

Please make sure you understand the configuration before you change anything.  You just need to review ISE and TACACS configuration documentation so you can follow how your setup is and what it is doing.  Then understand how ISE radius is used to authenticate clients.  Then and only then you will be able to understand the current policies defined.

@Rich R and @Scott Fella  Thanks for your comments. The below document is talking about radius/tacacs and wlc configuration. Based on the document, the two server radius and tacacs need to be configured at ISE. There are some same features that the two servers own. My question is when WLC need the same feature, which server(Radius or tacacs) would provide the function? 

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214490-configure-radius-and-tacacs-for-gui-and.html

I am not asking the difference of the two server at this moment. Instead, I would like to know when both servers Radius/TACACS are installed and configured at same ISE/WLC, if a device request the same service feature that the two servers own, which server will respond to it? Is there a mechanism to handle the issue? Or only one of the two server can be selected? 

Thank you very much for your reply. It make sense. 

"Not necessarily - it depends what it's using the radius for.  For example if you're using it to authenticate an 802.1x WLAN you can't remove it.  But if you're using it to authenticate management users then yes you could replace it with TACACS ..."

Our system uses 802.1x radius for users, so we cannot remove radiius. 

"Well you can configure primary and fallback options with aaa config so it might be possible but I really would not recommend ever doing that.  But if you did that then they'd be selected in the order you configure them to be used.  "

Regarding the order we selected, I think you mean AireOS, but looks like we do not have the function at catalyst 9800. so when both Radisu and tacacs co-exist in c9800, there should be a mechanism to control/decide which one(Radius or tacacs) to take care of users authentication and authorization

I changed the previous post after i reviewed the question

"Not necessarily - it depends what it's using the radius for.  For example if you're using it to authenticate an 802.1x WLAN you can't remove it.  But if you're using it to authenticate management users then yes you could replace it with TACACS ..."

Our system uses 802.1x radius for users, so we cannot remove radiius. 

"Well you can configure primary and fallback options with aaa config so it might be possible but I really would not recommend ever doing that.  But if you did that then they'd be selected in the order you configure them to be used.  "

Regarding the order we selected, I think you mean AireOS, but looks like we do not have the function at catalyst 9800. so when both Radisu and tacacs co-exist in c9800, there should be a mechanism to control/decide which one(Radius or tacacs) to take care of users authentication and authorization.