My customer have an opswat Endpoint. the opswat Enpoint scanning the emploies compouter and cheking for complaince with the orgenztion policy. currently there is No integration between opswat and meraki.
customer requirment is as follws:
When client connecting to meraki AP it will be block if it's not complaint with OpSwat policy.
The opswat has registry key and according to this registry value it possibole to know if the client is complaint or not.
What will be the best way to update the meraki if computer is complaint or not. is there any way to run a custom script
from the meraky side and according to the script output provide the the client relavant access ?
I found few ways overcome this issue but all my solustions seems to be to complex, but I am sure there is easier way to resolve it.
Possibly set the SSID to block everything, then have group policy that will be applied to approved devices that will allow. That may need to be done via an API if you don't want to add it manually (depending on the amount of devices and your availability).
This is one of the solutions that I tried. the task can't be done manually.
I when client connecting to relevant network it's trigger a script that checking all the relevant services and registry KEYs. if everythig is fine its updating the meraki dashboard.
But I have few issues with that solution.
1. The defualt policy cannot block everthing beacuse the client needs to reach the meraki API. that meens that i need to create policy that Layer4 firewall allow port 443 and block all the rest.
layer 7 firewall will allow only access to meraki domain.
2. but the real issue in this solution is that all clients will hold the API key
3. also the api requests are limited for 5 requests per second that means that I need to create connection control.
The other solution I thought about is to create custom captive portal so clients will be redircted when they are connectig to the meraki. the client will provide that server the relevant information and this server will make the decision.
But the customer will like to avoid such solution.
I think if it was me I would use FreeRadius, and deploy the SSID using WPA2-Enterprise mode.
I've never heard of OpSwat, but presumably it has some centralised management console you can query to get the client status.
FreeRadius allows you to run a script when an authentication request comes in. I would write a request to query the state of OpSwat from whatever their management console is. If the state is good let the use on. If the state is not good perhaps let them on but use the Filter-Id attribute to limit their access to whatever is needed to make their machine compliant.
Another option is to use the Tunnel-Private-Group-ID attribute which lets you drop the user into a different VLAN. You could then have your firewall configured to treat users in this "remdiation" vlan differently.
This article gives an example of using Filter-Id using NPS: