Using Active Directory Groups to Authenticate VPN Users

Question

I am configuring SSL VPN for my network. Only a subset of our users should have access to the VPN, and I would like to manage this through Active Directory groups. 
 I am using Active Directory authentication for the SSL VPN; I tried RADIUS, but I am using Windows NPS, and it fails unless configure NPS to allow authentication using unencrypted PAP. Unfortunately, I need to authenticate non-VPN users through Active Directory as well, so I am not able to configure the authentication servers to use more restrictive search queries. 
 I found a thread for Sophos UTM that sounds like exactly what I want; "Backend Groups." 
 Using Active Directory to Authenticate Selected VPN Users https://community.sophos.com/products/unified-threat-management/f/vpn-site-to-site-and-remote-access/75448/using-active-directory-to-authenticate-selected-vpn-users 
 How can I achieve this in Sophos XG? If not exactly this, are there any reasonable workarounds? I tried adding another Active Directory Server entry that points to the same active directory server, but uses a more restrictive search query, but Sophos XG rejected it due to it having the same IP address.

TonV · Accepted Answer

The way I do this is by creating a security group in your AD for example named VPN-USERS, add those users you want vpn access to this group. 
 On the XG go to the Authentication>Servers tab and click on the import button (document icon with an arrow pointing to the left), import the VPN-USERS group you just created. 
 
 Now go to VPN > SSL VPN (Remote Access) and create a policy and add the VPN-USERS to the Policy members. 
 Don't forget to go to Authentication > Services > And add your AD server to SSL VPN as a Authentication method. 
 
 The search query I use is dc=domain-name,dc=local(or any other extension you use) then just browse trough the domain to import the correct group.