Hello,
What you need to do is map 2 of your ACS groups with these 2 groups that you have defined in NT domain. You can do that, by going to External User database --> Group Mappings and add 2 group mappings and change all other combination to No Access. Then you can configure NAR, that is Network Access Retrictions, on both of the groups, that is deny Wireless devices (NDG) for the VPN group and vice versa.
I hope this helps. Regards,
Mynul