I'm a recent convert from pfSense and had the Web-Gui setup to auth against an external radius (windows server) box. I noticed with OPNsense that in order to actually log into the OPNsense Web UI that any radius account that needs access has to be also defined as a local account. Which seems counterproductive to me and doesn't really scale if I have to manager local user accounts in 2 places.
With pfSense I could specify a local group on the firewall and if the radius server returned the exact same name as the local group within the RADIUS AVP Filter-Id then you'd be allowed to log in. Am I missing something as far as RADIUS is concerned? If I don't set up a local user, then I get the "No page assigned to this user! Click here to logout." message.
Maybe you can open a feature request for it in GitHub? No idea if chances are good to get it done but worth a try