What usually you can do if your radius is ACS or ISE is use identity sequence. So you can specify AD as the primary and then local (on radius) as backup or vice versa. Then create a local in the AP if the radius isn't available.

Sent from Cisco Technical Support iPhone App

Hi Robin,

Regarding the below query

From this command I think that the AP will go and search the login credentials on his local radius server (loc_eap) and if those credentials are not found the AP will go and search the credentials on the remote radius (rad_eap).
Is that correct? if not, how could I make it?

Scott is right here, if your user credential not found  in the first listed method you will get access reject. It will only go to the other authentication methods only if the first one fails to respond.

"A method list describes the sequence and authentication methods to be queried to authenticate a user. You can designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method fails. The software uses the first method listed to authenticate users; if that method fails to respond, the software selects the next authentication method in the method list. This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted. If authentication fails at any point in this cycle—meaning that the security server or local username database responds by denying the user access—the authentication process stops, and no other authentication methods are attempted."

Ref:

http://www.cisco.com/en/US/docs/wireless/access_point/12.4_21a_JA1/configuration/guide/scg12421aJA1-chap13-radius-tacacs.html

HTH

Rasika

**** Pls rate all useful responses ****