So I started adding the following lines to all of our Enterasys switches.
set system login rw read-write enable local-only yes
set system login ro read-only enable local-only yes
set system login admin super-user enable local-only yes
If you have RADIUS configured for logging into switches, so admins can use their own logins and be accountable, it can be challenging when things go wrong.
By default the switches will check with RADIUS first for all logins. So the only way local logins will work is if RADIUS is totally out of the picture. Even then you will have to wait for the RADIUS process to timeout before the switch will check the local password store. If RADIUS is up but is messed up the switch may never check the local store. Then the only way you can get in is to console into the switch and unplug the uplink or perhaps create a policy that will not allow the switch to talk to the RADIUS server at all. In the height of a crisis this may cause you to blow a gasket.
With this config the switches will always check the local store first for the usernames you specify. You'll be happy you did this if your RADIUS server ever goes sideways.