Would you mind clarify something for me please? When you say it fails, are you referring to someone just using local VPN account to try and log in? The reason I ask this is because if you have Radius as GENERIC auth method on the firewall, then user/pass will never work, so what you would have to do is what I attached as a screenshot. Now, if you do that, to take full effect, people would have to actually delete/re-create vpn site, so gateway can fetch the right informations.
Hit me up if you want to do remote session, happy to show you.
Cheers.