Does a configuration client configured to pull patches and software from a secondary site and MP needs a constant connection to the primarty site MP?

My understanding is, if define properly for the clients to only pull from the secondary site, there is no need for the clients to connect to the primary site MP for policy and instructions which distribution points it goes to.

Anyone can advise?

Correct. Once the client is communicating with the secondary site management point it will query that management point for things like policies and content locations.

Clients never pull patches and software from an MP. They do receive policies from it though. Software will be downloaded from a DP. 
Clients also have to be able to contact the primary site's MP. 

Noted that clients never pull from MP.  Just trying to understand since i alreadly have a MP at my secondary site, why would the clients need to connect back to the MP at the primary site as well?

Reason why i'm asking is becos, I want to restrict my clients to the primary site if they are not patch via a NAC solution. They should connect to a Secondary site to patch up before they are allow to connect to the primary site. This is to prevent any unpatch clients connecting to the Primary site.

Clients still have to contact the primary site's MP, so you should not restrict communication to it. 

I restrict via NAC to prevent clients that are not patched with the latest security patch to connect to Primary site.

Will only allow them to connect to Secondary MP and DP to patch up before allowing them to go into Primary site.

Any workaround or sugesstion/experience to share for organisation have NAC and SCCM solution?