I was under the impression:
aaa authentication login default group tacacs+ local
Means TACACS+ is up and happy, use that. If TACACS+ returns ERROR, use local credentials. This is good.
However, I figures this also meant deny local authentication if TACACS+ is up and functioning. But I can still login using local credentials even when TACACS+ is up and functioning. Is there a way I can disable this?