So you have a couple challenges here.
Mainly the VIA provisioning
I ran into this same issue and the challenge is that the auth comes in when you are local and it will have the same radius parameters as a standard auth so unless you use a separate controller than the VIA controller you will have a challenge.
The way I over came the issue was to either
1. Force VIA provisioning on the internet only so it will trigger a PAP auth
2. Or add a PAP auth to your wired/wireless service (which is what I did)
A. I also have my service trigger to put my VIA users in my provisioning role that allows CPPM and VIA.
If your VIA is setup correctly it will recognize that you are local and not trigger an auth.
Is there a reason you are triggering your VIA local?
Im not a VIA expert so there might be some other options and I will ping engineering to see what they say. :)