Converting from LDAP to Radius Authentication for DUO MFA with Sophos SSL-VPN

We were testing DUO MFA with LDAP authentication to our Active Directory using the Sophos SSL-VPN.  Tan into the "timeout" problem and created a Radius login and server to fix this.   Now we are seeing: 

1. Initial validation appears to work,   

2. DUO MFA request is sent to the phone for authentication .

3. Once returned, the authorization fails at final login. 

I'm wondering if this is because of something changed in the way groups our handled?  

All users are members of our AD Group "VPN Users

What's the missing link?   


Edited TAGs
[edited by: emmosophos at 8:31 PM (GMT -8) on 23 Feb 2021]