Does anyone know of a document that outlines the different authentication options in IOS. Specifically I'm trying to understand the interplay between using radius, local, none(what is this option for?) and how the presence of an enable secret affects these. What is the difference between an enable secret and enable password anyway? Just the encryption type?
Yes indeed. If you configure "none" as one of the authentication methods, then if the device gets to that alternative it will let the user in. In a discussion of security it is sort of similar to "fail open" or "fail shut" (if your other methods have failed should you lock everyone out or should you let everyone in).
Let me give you my quick overview of the alternatives:
radius or tacacs will use a remote server (ACS or something similar) to authenticate.
local will authenticate with locally configured userID and password
line will authenticate with the configured passwords on line vty or line console
enable will authenticate with the enable passord (password or secret - depending on which is configured).
The difference between enable password and enable secret. Enable password by default is stored in clear text - and can be encrypted (but it is a pretty weak encryption). enable secret by default is stored encrypted (there is no option for it to be in clear text) and its encryption is pretty strong.
You had better believe that I worry about what happens if my primary authentication method fails. I normally configure a backup method and sometimes a backup to the backup.