Hello there,
There are two ways to restrict access for VPN clients. One is to use NAP with remediation server groups. The other method can be used with NAP or without it and involves configuring IP filters.
All you need to do is add an IP filter to the network policy that is matched by your VPN client when they enter the network. You can set the filter to allow access to a certain network, or to deny access to a certain network. Below is an example of how to deny access to the entire 10.0.0.0/8 network. You do not need NAP for this.
To make these determinations, NPS uses network policies that are configured in the NPS console. NPS also examines the dial-in properties of the user account in Active Directory® Domain Services (AD DS) to perform authorization.
https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-np-overview
Hope this resolves your Query !!
--If the reply is helpful, please Upvote and Accept it as an answer--