How does the Cisco NAM determine the presence of vulnerability without using the Cisco NAA on the client machine?