Nimbostratus
NimbostratusWell I think I know what's going on. The full answer appears to be that much of the Radius functionality in the BIG-IP is mediated by the APM add-on module. Absent this module, a minimal form of Radius only is supported.
In the minimal form, the account you want to log in to must already exist as a local account on the system, including most of the things mediated by the 'extra' F5-LTM-* attributes in the radius response. The LTM then checks against Radius for the password credential only, essentially overriding what is in the local configuration. This extends to log ins in the Advanced shell which report "-- ERROR -- The user enno is currently authenticated from a remote source. Please change the password at the remote authentication server." if you try to use the POSIX 'passwd' command from the command line. That's obviously a good thing as it will serve to reduce confusion around where you are changing your password and potentially why changes did or didn't take effect.
If APM is indeed the name of my pain, I suspect the https://support.f5.com/kb/en-us/solutions/public/14000/300/sol14324.html page should be updated to indicate that APM is a pre-requisite. Currently it's silent on that topic.