It's been a while since I've had to do this, but I think the key to this is the presence of a local user entry with the same user ID as that used on the RADIUS server. On that basis, the password you assign to the local user account can be anything you like - it doesn't matter.
If the RADIUS authentication is being used to authenticate access to the Firewall admin console or CLI, and the RADIUS server entry isn't configured as the default authentication method the users must be told to prefix their username with the name given to the authenticator configured on the firewall.
e.g. if the RADIUS server is called "RAD-AUTH", when logging into the Firewall admin console they must enter their username as:-
-otherwise the Firewall will attempt to match the password entered against the local user account and not to the RADIUS server.
Many thanks Phil.