I think if it was me I would use FreeRadius, and deploy the SSID using WPA2-Enterprise mode. I've never heard of OpSwat, but presumably it has some centralised management console you can query to get the client status. FreeRadius allows you to run a script when an authentication request comes in. I would write a request to query the state of OpSwat from whatever their management console is. If the state is good let the use on. If the state is not good perhaps let them on but use the Filter-Id attribute to limit their access to whatever is needed to make their machine compliant. Another option is to use the Tunnel-Private-Group-ID attribute which lets you drop the user into a different VLAN. You could then have your firewall configured to treat users in this "remdiation" vlan differently. This article gives an example of using Filter-Id using NPS: https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Using_RADIUS_Attributes_to_Apply_Group_Policies This article gives a general overview of using RADUS+WPA2-Enterprise and using Filter-Id. https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_with_WPA2-Enterprise
... View more