When you issue the aaa authentication login default group tacacs+ local command, the default authentication method is applied to all lines for which no other login method has been specified.

In this scenario, the router will first attempt to authenticate a user by checking a group of TACACS+ servers. If the TACACS+ servers do not respond, the router will use the local user database for authentication. To access the router if the TACACS+ server is unavailable, the user must authenticate to the local database.
Configuring a secondary authentication such as the enable password or the local database is useful because administrators can connect to the router even if the authentication server is unavailable.
If a user's account is not found on the TACACS+ servers, the user will be denied access. As long as a TACACS+ server responds, the router will not use the next authentication method on the list.
If the TACACS+ servers are unavailable, the user will not be automatically allowed or denied access. The user can still access the router by using the local database. To ensure that the user will be denied access if the TACACS+ servers are unavailable, you should issue the aaa authentication login default group tacacs+ command without the local keyword.