You have "set admin privilege read-write." This means anyone authenticated via RADIUS will have read-write.
ssg5-serial-wlan-> set admin auth remote ?
root remote ROOT privileged admins accepted
This means that root users are allowed, but you have to have "set admin privilege" set to "get-external," then configure the RADIUS server to provide the privilege level (root, R/W, read-only).
As you have it configured, if the RADIUS server sends back a REJECT message, then the firewall will NOT try local. Based on what you were asking, it would probably be best to configure the firewall for "get-external," then configure a RADIUS user that has read-only.