If we have a Windows 2008 server, we can use the NPS (Network Policy Server) role.
With this role installed and with two AD users (AdminA and AdminB), each in different AD groups (TenantA-Admins and TenantB-Admins, respectively), we can test RADIUS access.
Create a NAP client, specifying the IP address of the APIC, along with the password entered in step 3.
Create a network policy with the following settings:
The Cisco AV-Pair setting controls what we have access to.
Let's try logging into the APIC:
Stuarts-MacBook-Pro:~ stuart$ ssh AdminA@192.168.1.205Application Policy Infrastructure ControllerAdminA@192.168.1.205's password: ...