When enabling AAA Authentication, Failback does not seem to work

Activating AAA authentication group for remote login

AAA authentication for Lightweight Directory Access Protocol (LDAP) was set up with the option to fall back to local login if LDAP servers are unreachable.  

When LDAP servers are unreachable, Multilayer Director Switches (MDS) do not fall back to local databases even though the following command is present in running configurations. MDS NX-OS 6.2(13), 6.2(13a), 6.2(13b)

"aaa authentication login default fallback error local"

The only exception is the MDS 9250i which falls back to the local database while the LDAP server is unreachable.

This behavior was tested in MDS 9513 and MDS9250i with the same NX-OS version (MDS NX-OS 6.2(13), 6.2(13a), 6.2(13b)).
MDS 9250i has no problem and falls back to the local database when the LDAP server is unreachable, but other MDS switches do not.

This problem only occurs when MDS switches have an LDAP configuration. It does not occur with Terminal Access Controller Access-Control System (TACACS) configurations.

If the LDAP server is unreachable, then users cannot log in to the switch using the local username and password.

Cisco bug CSCuy39447

https://tools.cisco.com/bugsearch/bug/CSCuy39447/?reffering_site=dumpcr
 

Permanent Fix: This is to be fixed in a future code release.

Workaround:
This is the workaround recommended by Cisco but does not fix the issue.
To go back to local login with LDAP servers being unreachable the console port must be accessed, and LDAP must be disabled.

Log in with the local username password using the console connection.  

If you still want to make sure the MDS switch uses LDAP auth, if you can get into the switch, you can remove the ldap-search-map from "aaa group server ldap", so the aaa group looks something like:

aaa group server ldap ldap_group
server x.x.x.x
no ldap-search-map

Without the ldap-search-map, the MDS switch falls back to local authentication if the LDAP server is unreachable.