Hi,
I'm using a "black hole" setup together with Group polcies to solve this. This is what I've done:
- Isolate the connectivity from the VPN-client subnet to none or internet only (if you are using a full tunnel.)
- Create a group policy
- Add "override" priviliges to this group that matches your conditions
Note that when you use this type of setup you need to administer all incomming connections. I haven't tried this with LDAP integration module, only with radius which doesn't support mapping of users into groups in this case.