In order to be able to access the appliance in the event that an external authentication method has failed (such as RSA), one solution would be to have some locally authenticated TPAM Admin and SysAdmin Users for troubleshooting an event of this nature. Access could be gained to the appliance with these locally authenticated Users to reconfigure existing Users.
Another option would be to have working and tested CLI Admin / SysAdmin Users that could be used to adjust the authentication methods for TPAM Users.
The CLI commands "UpdateUser" or "AddUser" could be utilized to modify the authentication types for an existing user create a new user. See these options for these commands from the 2.5.915 guide for flags that would be useful:
--PrimaryAuthType Opt The type of the primary authentication system for this user. Current
values are Local, Certificate, LDAP, WinAD, Radius or Defender. When
Local is used the PrimaryAuthID, PrimaryAuthExtra and
PrimaryAuthSystem values are ignored.
--PrimaryAuthSystem Opt* Name of the defined system to use when the PrimaryAuthType is not
local or certificate. Systems are defined by the appliance System
--SecondaryAuth Opt Secondary authentication system used for user login. Valid values are
None (default), SecureID, Safeword, Radius, WinAD, Defender and
--SecondaryAuthSystem Opt Name of the secondary authentication system of the type indicated in
ExternalAuth. Values are defined by the appliance SysAdmin.