What I mean is: can local administrative accounts be blocked from any remote access?
If users with admin privileges can log in locally, can those same users be blocked from logging in remotely?
Can RADIUS be configured to notice that an account has admin privileges, and because of those privileges, deny any remote login.
Can RADIUS be configured so that those with admin privileges can only login locally?

Is this ISE or ACS, you can have condition match with against IP range.

But again, when the user coming from remote ? using Public IP, why would you allow External Access to devices, that is security Risk.

You can add ACL to allow only IP address range can access device from Lan.(with IP address range)

is this make sense ?

Thank you for your reply. That does make sense. However, I am not looking to block by IP range.

I want to allow users with admin privileges to login locally, but not remotely.

I am still not clear about your terminology and what you are wanting to accomplish. When you talk about local administrative accounts is this user IDs and passwords configured on the individual router/switch? Or is there more to this term? And when you say login locally are you talking just about logging in on the console? Or is there more to it than just console access? And when you talk about remote login is this just access to vty ports using telnet/SSH or is there more to it than this?

If what you want to accomplish is that any login on the console authenticates uses only the locally configured IDs and any login on the vty uses only IDs configured on the Radius server it is fairly simple. When you enable aaa new-method it default to using locally configured ID. So that would take care of console login. So you need to configured an aaa authentication method for the vty that specifies authentication using your Radius server.

If what I am describing is not what you want to accomplish then please provide clarification.

Thank you for the reply. You clearly know much more about this than I do. I did not think the question was that complicated.

Using the method that you described, would the RADIUS server have to use Active Directory, or LDAP, or something, to see if a remote user can be logged in?  Or does RADIUS have it's own user database that needs to be configured? Does RADIUS have to be configured to exclude certain users, or can RADIUS be configured to look up user access permissions, and then exclude any user that has administrative privileges?

Thank you again.

The Radius server could use LDAP or Active Directory but is not required to use LDAP or Active Directory and could use some other resource to determine which users to allow access.