Remote authentication with user specific role

Hello everyone,

I was wondering how could I assign specific roles to each user I'm expecting on our systems. I know that if I create a local user with the same username as in the remote authentication server I can achive the exact thing. But we are using TACACS+ with ISE and multiple domains. If I try to create a user without the domain name it won't match and I cannot create local user with '\' like "domain\username".

It would be the most convenient solution to let the support partner login as auditor on normal days but make exceptions when the **bleep** hits the fan. Of course I have multiple workarounds like making exceptions on ISE or AD but these systems are under another unit's control. Also even temorarily changing the whole remote role group's role would be a security risk.

Any idea? How could I match the remote username with the local ones? What is your best practise handling the external contractors access to your systems?

All the best,

Bazsi