NPS MFA Extension with single RADIUS server

Question

Hello,

We have an existing NPS and RADIUS setup running that covers our SSTP VPN clients, as well as 802.11x authentication on our UniFi access points.
We are looking to cover our VPN access with Azure MFA using the NPS extension.

On the deployment documentation provided by Microsoft, it states the below:

After you install and configure the NPS extension, all RADIUS-based client authentication that is processed by this server is required to use MFA. If all your VPN users are not enrolled in Azure AD Multi-Factor Authentication, you can do either of the following:

Set up another RADIUS server to authenticate users who are not configured to use MFA.

Create a registry entry that allows challenged users to provide a second authentication factor if they are enrolled in Azure AD Multi-Factor Authentication.

Create a new string value named REQUIRE_USER_MATCH in HKLM\SOFTWARE\Microsoft\AzureMfa, and set the value to TRUE or FALSE.

Based on that statement, does that mean that regardless of policies defined within NPS, all the VPN clients and all wireless client connection requests, would be subject to an MFA challange?
The workaround being to create a second VPN deployment that does not use the same NPS/RADIUS server, or to approach using the registry keys mentioned?

Thanks
James