Hi Paul,
A quick Google search shows instructions for implementing RADIUS connections for 2FA within Cisco FTD. Within those settings, you designate the VIP Enterprise Gateway IP address and port as the RADIUS server to point to. Then on the VIP Enterprise Gateway, you would create a new validation server to accept the incoming RADIUS requests, and create a userstore to handle LDAP queries if you want VIP to verify the user in your user store.
You can use the existing Cisco templates if you want to. They have prepopulated fields that you can adjust as necessary. Or, you can start from scratch and choose CUSTOM from the options, and build a fresh validation server.