It sounds like your problem is that the router is not sending the AAA traffic down the VPN tunnel. Try something like this:
Assuming you're using RADIUS, and the inside interface of the 871 is e0, configure:
ip radius source-interface e0
As long as the traffic from the IP address configured on e0 is configured to be encrypted, it should send the AAA request down the tunnel.
Note, you must also use the IP address assigned to e0 as the AAA client address in the AAA server.
Please let me know if my suggestion is unclear.