If you're talking about Su SE or Red Hat and you want enterprise support, then the annual support contracts is double the cost of a perpetual Windows Server 2003 license.
Unfortunately, Microsoft doesn't give you any way to override this "fail-shut" behavior because they claim customers want it this way because it's more secure but every customer I've talked to wants a choice on this behavior.There is no security risk because the Authentication and Authorization component of Microsoft IAS is working perfectly fine, it's merely unable to make a record of the transaction.Cisco ACS also comes on a dedicated appliance but that's even harder to use in my experience since you don't even get a Windows console graphical interface to work with.Funk software (acquired by Juniper) has a pretty good solution with Steel-belted RADIUS at around 00 per copy but that is still a significant cost especially when you need two RADIUS servers for redundancy.Your Cisco network equipment works perfectly fine so long as you avoid proprietary, less-secure harder-to-deploy protocols, like LEAP or EAP-FAST.
Furthermore, the stability of ACS is questionable and there is an endless patch cycle for it since it has been plagued with security vulnerabilities and bugs.
You have to manually create the accounts and tables in SQL in order for this to work.
Furthermore, IAS under Windows Server 2003 insists on stopping the RADIUS service if logging doesn't work so if the SQL server doesn't respond, all of your RADIUS servers stop working.
Cisco ACS also lacks the ability to act as a relay RADIUS server which limits its ability to serve in a more robust multi-tier RADIUS environment.
You need that ability to link to multiple Active Directories or other user directories that are not tied to each other.
I've spoken with Microsoft and they're telling me they will correct this with Windows Server 2007 (or whatever it's going to be called when it's released next year).