ClearPass is the best Network Access Control "Swiss army knife" out there right now. It can do 802.1x (WPA2-Enterprise) for WiFi and LAN. It also has one of the slickest guest captive portal experiences and workflows out there, along with an easy, drop-in BYOD application.
I have not had too much experience with OnGuard, the endpoint integrity feature, but it does that too. With all of the ClearPass integrations and RADIUS Change of Authorization (CoA), it is possible to login wired or wireless endpoints based on a variety of identity stores, then create and associate security policies, e.g., DACLs, based on a device.
Dynamically provision VLAN assignments, i.e., no more "color-coded ports", write Palo Alto Networks (PAN) NGFW policies that are associated with a specific user (rather than IP address), and quarantine or drop an endpoint off the network in an automated manner if an incident is detected.
All of this, naturally, comes with a lot of details in implementation, but my experience was, like all things InfoSec, implementing the controls is easy if you already have a clear, documented, executive-supported policy that you are using as the control to enforce. Otherwise, the control gets blamed for what is really a lack of clarity and leadership regarding the underlying business policy.