cisco aaa/windows radius server

I mostly use Radius, and it works just as well as TACACS+, although there are differences in what you can all do.

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml

It can be simple pass/fail user authentication for VPN/SSH, or it can even pass back information to specify which vpn group-policy should be applied to a user based on AD group membership. There are many other scenarios, but in the end it will be up to you to do your due diligence to research Radius with the features you are looking to achieve.

As my understanding, TACACS authorization can do more flexible on restriction. for example, user A able to apply "shutdown" command and user B does not. (its just an example, actually can restrict a list of command)

Please correct me if I am wrong.

My setup for TACACS+ is used for AAA. So under authorization I do have an "acl" that permits what commands can be entered by certain users. I also have accounting which collects which commands entered by a user. I'm not familiar if Windows Radius can perform these task.