diff --git a/awx/sso/backends.py b/awx/sso/backends.py
index 645bb40546..56b710a6f1 100644
--- a/awx/sso/backends.py
+++ b/awx/sso/backends.py
@@ -146,9 +146,8 @@ class RADIUSBackend(BaseRADIUSBackend):
         try:
             user = User.objects.get(username=username)
         except User.DoesNotExist:
+            logger.debug("Created RADIUS user %s" % (username,))
             user = User(username=username)
-
-        if password is not None:
             user.set_unusable_password()
             user.save()
 
@@ -166,7 +165,6 @@ class TACACSPlusBackend(object):
         )
         if created:
             logger.debug("Created TACACS+ user %s" % (username,))
-        if password is not None:
             user.set_unusable_password()
             user.save()
         return user
@@ -195,8 +193,6 @@ class TACACSPlusBackend(object):
             user = self._get_or_set_user(username, password)
             if not user.has_usable_password():
                 return user
-        else:
-            return None
         return None
 
     def get_user(self, user_id):
diff --git a/docs/auth/README.md b/docs/auth/README.md
index 6c01ce7b67..f6470e74fd 100644
--- a/docs/auth/README.md
+++ b/docs/auth/README.md
@@ -14,3 +14,6 @@ On the other hand, the rest of authentication methods use the same types of logi
 * SAML
 
 Tower will try authenticating against each enabled authentication method *in the specified order*, meaning if the same username and password is valid in multiple enabled auth methods (For example, both LDAP and TACACS+), Tower will only use the first positive match (In the above example, log a user in via LDAP and skip TACACS+).
+
+## Notes:
+* TACACS+/RADIUS users and normal Tower users are strictly separated. For example, suppose there is a TACACS+ user with username 'Alice' which is known to TACACS+ backend but not Tower. If a user record with the same username 'Alice' is created in Tower before any log in attempt, Tower will always use its own authentication backend to authenticate Alice, even if TACACS+ backend is also available. On the other hand, if a successful log in attempt is conducted before any explicit user creation in Tower, a TACACS+ user 'Alice' is automatically created and Tower will always use TACACS+ backend for authenticating 'Alice'.