The AAA user authentication is incomplete IMO.
1) It shouldn't be limited to only the GUI. I want authentication against SSH logins as well.
2) When choosing "Remote RADIUS and Fallback to Local" I don't want it to accept local credentials unless RADIUS is unreachable. Once the device can talk to RADIUS, I expect to the device to only allow logins which RADIUS kicks back an authorized, user response. The RADIUS server should be unreachable if it is going to allow local login.
Choosing "Remote RADIUS Server Only" isn't a good fit, because if you need to access a device that doesn't have connectivity to the RADIUS server, you're hosed.