Thank you for the quick response, Tim.
I looked at the endpoint status attribute, but that appears to be restricted to Known, Unknown and Disabled. Would changing this attribute value cause the endsystem to reauthenticate against Radius? Would I need to make the API call to the controller instead?