The IAP can be configured to fallback to the Internal DB, for IAP management purposes, if the connection to Radius is lost. This will protect you from the scenario you described. Without it....reset to factory default.
This config is independant of WLAN client authentication.....
From the 3.2 Users Guide p.129:
In the Authentication drop-down list, select any one of the following:
Internal— Select to specify a single set of user credentials. Enter the Username and Password for
accessing the Virtual Controller Management User Interface.
RADIUS Server— Specify one or two RADIUS servers to authenticate UI. If two servers are configured
users can use them in primary/backup mode or load-balancing mode, this is identical to the RADIUS
server configuration for SSIDs. For information on configuring external RADIUS server, see “External
RADIUS Server” on page 120.
RADIUS server w/ fallback to internal— Specify the RADIUS servers as well as a Username and
Password. If there is no response from the RADIUS server (RADIUS server timeout), the authentication
switches to Internal.