EXOS will send the first word of a command as the 'command' portion of the command authorization request, and the rest of the command will be in the 'argument' field.
For example, configure vlan data add port 1 untagged will result the following values being sent to the TACACS+ server:
Because of this, the server must be configured to permit all configuration starting with 'configure vlan data add port', but deny other configuration. This can be accomplished by specifying a wildcard in the argument portion.
argument='vlan data add port 1 untagged'
For this example, the command authorization configuration on the server would be to permit the following:
where .* is used as a wildcard.
argument='vlan data add port .*'
This example is for Aruba ClearPass, but configuration should be similar in other TACACS+ servers.