You can do it both ways. Have a different VPN portal with unique IP Pool for users based on different AD group membership. Or, put everyone in the same portal with the same IP Pool and use Firewall Policies to restrict access using AD group membership.
On a Firewall Policy if you define two rules each with the same source and dest IP but different source user groups, then you will only match the policy that has the correct user.
Then, create different portals for each respective group with the relevant restrictions in place.