Thanks for your feedback.
Valentin: When I do what you suggest I get a "User unknown" diagnostic.
Vladislav: I was about to write that pam_unix.so does not authenticate against /etc/{passwd,shadow} in this case, but I was wrong - despite what I wrote in my previous message. Based on this, and your assertion that the SASL daemon just turns over authentication to PAM, my guess is that if what I want is to use PAM to try RADIUS first, and fall back on to SASL if the RADIUS server is not reachable, I just have to use the SASL PAM module and bypass the SASL daemon altogether, right?
