Network Policy Server policies for different Active Directory Groups

I am trying to configure a Network Policy for our OpenVPN server to authenticate using our Radius servers. Our radius servers currently have a bunch of radius clients configured, we use them for switches/routers authentication (network group.) Anyway, I added the IP of our OpenVPN server to the radius clients and a network policy to allow VPN group users to connect and it works. However, looks like VPN group users are now also able to access switches/routers and network group user are able to establish a VPN connection and we do not want that. We want to separate network group users to be able to access switches/routers (the way they were) and VPN group users to be able to authenticate to our VPN server, unless users are on both groups of course. Is there a way to configure that? Seems like if the IP (of our OpenVPN server) is configured on the radius clients then all of the network policies apply to authenticate? I have created different network policies specifying groups and client IPv4 but they do not seem to apply correctly, or at least I cannot get it right.

Thanks for the help!