Since you are not using the internal CPG database, you need to change the form to do a RADIUS pre-auth check and then create a new RADIUS Enforcement service to handle the pre-authentication check. Otherwise if users put in bad credentials, they won't know until the controller login attempt (there will be no visual feedback on the form).