I was wondering how could I assign specific roles to each user I'm expecting on our systems. I know that if I create a local user with the same username as in the remote authentication server I can achive the exact thing. But we are using TACACS+ with ISE and multiple domains. If I try to create a user without the domain name it won't match and I cannot create local user with '\' like "domain\username".
It would be the most convenient solution to let the support partner login as auditor on normal days but make exceptions when the **bleep** hits the fan. Of course I have multiple workarounds like making exceptions on ISE or AD but these systems are under another unit's control. Also even temorarily changing the whole remote role group's role would be a security risk.
Any idea? How could I match the remote username with the local ones? What is your best practise handling the external contractors access to your systems?
A local user may be required to get the home directories configured so SSH/SCP works as expected. But for remote authentication/authorization it´s not necessary to configure the specific accounts on your BIG-IP device.