A local account is always available for authentication. For example, the local admin can be used for emergencies or for API access.  Otherwise you can use RADIUS for authentication and LDAP for authorization. LDAP may not do any authentication if that is how it is configured.

The local account will always be available and will be first in the authenticate processes.  Radius or LDAP will then be used for authentication, if configured.  LDAP can be configured so that it will only provide authorization, the group name, while RADIUS is used for authentication. 

If you want Radius to be the only remote authenticator, select the "Use Radius for authentication" option after enabling LDAP.  This will cause LDAP to provide the group authorization without providing any authentication.