NAR are based on two radius attributes (calling-station-id = client information) (called-station-id = network device information).
The issue is based on the VPN NAR that you have configured.
However let me explain why this works for the WLAN users, you configured an IP based rule (dont know if this was intentional but it works), in a way that if a client authenticates with the calling-station-id from the VPN server (ip address is the format for calling-station-id), that it must match the called-station-id that belongs in the "NDG-WLAN" which fails. I noticed that you do not have a DNIS condition configured, the ACS is designed to failover to this rule for non IP based NAR filters. For wireless dot1x authentication (calling-station-id is the mac address of the client), there is no CLI/DNIS based rule enabled so that is why the wireless requests are permitted.
When the VPN users connect to wireless an hit the VPN NAR, the calling-station-id is a mac address format, and with no CLI/DNIS rule configured you allow them access.
In the VPN NAR, you should create a DNIS based rule which denies access from the NDG:WLAN and wildcard the dnis field, and that will fix your issue.
"IP-based NAR filters work only if ACS receives the Radius Calling-Station-Id (31) attribute. The Calling-Station-Id (31) must contain a valid IP address. If it does not, it will fall over to DNIS rules."
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :