Alex,
How are you forcing the traffic to the NAC? Using ACLs or PBRs?
What you're describing indicates that you're more than likely using ACL method. If so, ensure that in your access subnet, you are disallowing traffic being sent to the CAS. After your client authenticates and is in the access VLAN, the agent would still continue to send out the discovery packets every 5 seconds, and if that traffic is allowed in the access VLAN, it will pop the agent up again.
HTH,
Faisal