Hi, what you're asking for it can be done. If you want to use an external authetication scheme you have to use Active authentication, then define external groups that have to match with group ID in your Active Directory for example. Once a user brings up the tunnel he must authenticate against the firewall by open a browser page to the URL: https://<firewall internal IP address>:8111/login.html. The firewall will check credentials and group ID with the AD server and if they're OK the web page will turn to green with a "Successful Login" message. Then the user will be granted with an access according to the policy you configured in the rule for RDP service.
You don't have to confuse the VPN tunnel and authetication configuration with the configuration described above. They're two completely different configurations.
I hope this helps