you can deploy NAC inbound mode without Cisco switches but you need to remember you are not going to get all the benefit of the NAC because all the devices on not trusted side can talk to each other (even you have it before default gateway).
Because in EDGE design you don't what firewall get involve with a lot of routing you just need default gateway for your firewalls. So HSRP will provide you one redundant default gateway and then you can take care of routing and ISP redundancy in rout...
Base on Cisco Doc you have to make this hole for getting to domain and Also if you don't open right port you SSO it will fail. because agent get information from you pc after U login to domain so if you fail in some point of auth your SSO will fail h...