https://community.cisco.com/t5/network-access-control/cisco-ise-device-admin-policy/m-p/4693650#M577385 <P>Hi,</P><P>&nbsp;</P><P>If I understand it correctly you want to restrict the the sources from where device can be accesses via ssh/https. If thats so, yes you can use 'Tacacs: Remote Address' condition and you can mention IP address/s of the jump hosts or devcies from where connection will start.&nbsp;</P> Mon, 26 Sep 2022 10:22:09 GMT PSM 2022-09-26T10:22:09Z https://community.cisco.com/t5/network-access-control/cisco-ise-device-admin-policy/m-p/4693536#M577383 <P>Hello,&nbsp;</P><P>I've recently configured new rule on Cisco ISE that allows local administrators access to our devices. The rule consists of the following conditions:&nbsp;</P><P>- Device type equals "Switch"<BR />- User must be a member of AD group<BR />- Device location equals "XYZ"</P><P>Instead of applying ACL on VTY line which is not svalable solution, I would like to ask whether it's possible to add another condition, namely source IP address(es).</P><P>Is that possible?&nbsp;</P><P>Thank you in advance!</P> Mon, 26 Sep 2022 06:15:29 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-device-admin-policy/m-p/4693536#M577383 lnw-team 2022-09-26T06:15:29Z https://community.cisco.com/t5/network-access-control/cisco-ise-device-admin-policy/m-p/4693650#M577385 <P>Hi,</P><P>&nbsp;</P><P>If I understand it correctly you want to restrict the the sources from where device can be accesses via ssh/https. If thats so, yes you can use 'Tacacs: Remote Address' condition and you can mention IP address/s of the jump hosts or devcies from where connection will start.&nbsp;</P> Mon, 26 Sep 2022 10:22:09 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-device-admin-policy/m-p/4693650#M577385 PSM 2022-09-26T10:22:09Z