IAS to authenticate Cisco VPN Clients & Cisco Device Management

Hi,
I have spent days reading about how to accomplish this but it's not working...

I need to use MS IAS 2003 to authenticate both Cisco VPN clients (connecting
to an IOS router from the Internet) and vty (SSH/Telnet) access to Cisco
devices for management.

I have two Remote Access Policies, both have only one condition (a Windows
group in AD).

The first policy is for Cisco Priv Level 15 access (vty) and has a profile
for PAP/SPAP authentication and a Cisco-AV-pair for "shellriv-lvl=15" and
Service-Type Login.

For the second policy (for Cisco VPN Clients), I don't really know what to
put in...

How would I differenciate the two policies using conditions? I want the
first policy to only grant access to manage Cisco devices... and the second
policy to only grant access to Cisco VPN Clients. How?

--
Pierre