Option B is correct because on Cisco Nexus NX-OS, the command aaa authentication login default group < server-group > local creates the default login authentication method list and tells the switch to try the named AAA server group first, then fall back to the local user database if the AAA servers are unreachable or do not respond. Cisco’s NX-OS AAA documentation states that the default login method list is used for user logins, and that the group keyword points authentication to a configured TACACS+ or RADIUS server group. It also notes that local authentication is the fallback method unless that behavior is explicitly disabled. (Cisco)

The key reason the answer is B is the syntax: group ISE local means “authenticate with the TACACS+ server group named ISE first, then use local if the server is unavailable.” Option C uses only local authentication, so it does not use TACACS+ at all. Option D applies to console login configuration and is not the correct default user-login command. Option A is incorrect syntax for enabling this behavior; Cisco documents fallback error local as a behavior that is already present by default and can be disabled with the no form. (Cisco)