I’m not the greatest at AAA on Cisco’s IOS. I always have to think about how to order things, and to test fallback (which you should do anyway). One of the caveats that I always overlook, no matter how many times I set this up, is that Cisco IOS software attempts authentication with the next listed authentication method only when there is no response from the previous method. If authentication fails at any point in this cycle—meaning that the security server or local username database responds by denying the user access—the authentication process stops and no other authentication methods are attempted*. But, as I’ve said many, many times before, being able to look for documentation and knowing where to find information is just as valuable as having great retention.
The rest of the commands will allow the enable password to work, etc. I tested and verified this as well. Adding a local user to the box also works for those that are adverse to waiting for RADIUS to timeout to enter the enable password (although I really don’t see the point).
Some other good reference material for this is available over at the IOS hints blog.
