Having some trouble getting NAP working in server 2012 R2.

DHCP config - How do you segregate NAP capable clients from Non NAP capable clients? In server 2008 R2, you configured the user class to give out different scope options. 1 set to the default user class, and 1 set for the NAP clients (I think). My DHCP server doesn't have the user class option in the advanced scope options screen. (any ideas why this is?) The 70-417 book mentions something about using the MS-Service class option in network policies to apply different network policies to different scopes but I can't find this documented anywhere.

VPN config - I can't even remember where I got up to with this now, but I didn't get it working. Got the VPN connection working.. and then.. Oh yeah it was connectivity problems. So I was connected to the NPS server via a VPN connection, using a public IP address connected to the external adapter of the NPS server. It then occurred to me that I couldn't contact the DC. I can't remember whether I have to set the client as a DHCP client and whether it's something to do with the DHCP relay agent or whether I have to setup static routes (Sorry if this question seems lazy but NPS/VPN isn't stated as an objective for 70-417 so I'm not sure how deep I have to go in regards to this, I think it may just be the NAP policies that I need to know etc but I'm not sure)

IPSEC config - Right, I had this almost completely working, and I know why it's not working. Basically when I setup the System Health Authentication Template, I type in the EKU manually for the System Health authentication application policy.. but when I add the template to the CA, the EKU is not correct. So i'm typing 1.3.6.1.4.1.311.47.1.1 but when I look at the cert on the CA it's coming up with 1.3.6.1.4.1.311.21.8.1111443.9763458 (+ a million more numbers) - Just wondering if anyone else has come across this.

It's been a long day.

Thanks guys