Just to help other community members with this issue, NEAT is really not intended for Low Impact Mode. Marcin created a great how-to-guide a few years back (NEAT Configuration Example with Cisco Identity Services Engine - Cisco) . However if you examine the commands that NEAT modifies on the interface of the upstream switch, you will notice that the port-based ACL (aka pre-auth ACL) is not removed, thus causing issues when downstream traffic attempts to access the network. This is because the dACL that is downloaded from ISE to the upstream switch only allows the IP address of the workgroup switch (aka downstream switch) and not the clients hanging off of the workgroup switch. You can see from this output of commands which are triggered by NEAT that the pre-auth ACL is not modified.

Oct 15 13:51:03.723: Applying command... 'no switchport access vlan 1' at Fa0/6

Oct 15 13:51:03.739: Applying command... 'no switchport nonegotiate' at Fa0/6

Oct 15 13:51:03.748: Applying command... 'switchport trunk encapsulation dot1q'
  at Fa0/6

Oct 15 13:51:03.756: Applying command... 'switchport mode trunk' at Fa0/6

Oct 15 13:51:03.756: Applying command... 'switchport trunk native vlan 1' at
  Fa0/6

Oct 15 13:51:03.764: Applying command... 'spanning-tree portfast trunk' at Fa0/6

Oct 15 13:51:04.805: %AUTHMGR-5-SUCCESS: Authorization succeeded for client

Therefore, to properly implement NEAT, you would need to either remove the pre-auth ACL, which changes your architecture to 'closed-mode' from 'low-impact' (assuming you also remove 'authentication open' command), or use smartport Macros to issue the above commands and also remove the pre-auth ACL.