I haven't tried it but you may be able to use the dictionary attribute from RADIUS of "Framed IP address" in a policy element that you call out in your Authentication phase as a prerequisite to the resultant Authorization profile which gives shell access at the appropriate privilege level.
Here's a handy list of all the RADIUS dictionary elements available to ISE:
https://communities.cisco.com/docs/DOC-67894
Much more common would be to just check the user identity in ISE. That way an authorized administrator can perform their job role no matter what machine they are on (and an unauthorized user cannot usurp the admin role by virtue of being on a certain machine).
Whether or not you do that, you can still restrict the source IP quite simply by using an access-list that you apply to the vty lines. That is perhaps one of the most common ways to restrict what hosts or networks are allowed to access devices in-band.