Hi Jack,
The short answer is Yes.
The NAC server for the VPN will have to be inline to handle the remote employees.
The employees who access via the LAN wired will have their own NAC Server. Hopefully you will suggest an Out-of-Band, Virtual gateway deployment for them.
Both of these servers will need to be managed by a NAC Manager.
Hope this helps.
Paul