topic Re: MAC Blocking During Cisco ISE Authentication Phase in Secure Access Discussions

MAC Blocking During Cisco ISE Authentication Phase

schikannikov — Wed, 20 May 2026 04:52:06 GMT

Hello. I have a MAC address that I need to block. I added this MAC address to the Blacklist group (Administration - Identity Management - Groups - Endpoint Identity Groups - Blacklist). I created a rule in the Authorization Policy section that blocks access if there's a match on the blacklist. This works correctly during authorization.

The problem is that I need to block the device during authentication, but I can't create such a rule in the Authentication Policy section; there's no Blacklist in Authentication Conditions.

How can I block a MAC address during authentication on Cisco ISE?

Re: MAC Blocking During Cisco ISE Authentication Phase

Singhaam — Wed, 20 May 2026 05:19:09 GMT

i guess the Blacklist/Endpoint Identity Group is typically evaluated during the Authorization phase, not during Authentication. That is why you cannot directly use the Blacklist group as a condition in the Authentication Policy.

if you want to block the mac before it even hits ISE then you need to local it locally on the switch.

Re: MAC Blocking During Cisco ISE Authentication Phase

Singhaam — Wed, 20 May 2026 05:22:02 GMT

you can create a Authorization Policy - Global Exceptions so the mac is blocked globally in ISE

Re: MAC Blocking During Cisco ISE Authentication Phase

ashish.kushwaha — Wed, 20 May 2026 06:53:59 GMT

Can you provide below details to understand in the better way

Authentication Method: Are you using:
- MAB (MAC Authentication Bypass)?
- 802.1X authentication?
- Both?
Deployment Type: Is this for:
- Wired network access?
- Wireless network access?
- Both?
Desired Outcome: When a blacklisted MAC address attempts to authenticate, do you want to:
- Completely reject/drop the authentication request?
- Authenticate but assign to a quarantine/restricted VLAN?
- Redirect to a portal page?
ISE Version: What version of Cisco ISE are you running?
Current Behavior: When the blacklisted MAC currently gets pass authentication, what authorization result does it receive?

Re: MAC Blocking During Cisco ISE Authentication Phase

ashish.kushwaha — Wed, 20 May 2026 06:55:31 GMT

What I Understand So Far:

Your Core Issue: You can block MAC addresses during the Authorization phase using Endpoint Identity Groups (Blacklist), but there's no direct Blacklist condition available in Authentication Policy rules, so you cannot block devices before they even authenticate.

Re: MAC Blocking During Cisco ISE Authentication Phase

schikannikov — Wed, 20 May 2026 07:01:46 GMT

1. Microsoft Active Directory is used for authentication.
2. I need to disable MAC addresses for the wireless network.
3. Desired result: completely reject the device's connection attempt.
4. ISE version 2.2.0.470.
5. The MAC address, while blacklisted, attempts to authenticate but is unable to complete due to an incorrect password.
I need to prevent the password prompt from appearing.

Re: MAC Blocking During Cisco ISE Authentication Phase

schikannikov — Wed, 20 May 2026 07:17:38 GMT

Yes

Re: MAC Blocking During Cisco ISE Authentication Phase

ashish.kushwaha — Wed, 20 May 2026 07:44:37 GMT

Cisco ISE processes network access in two sequential phases:

Authentication Phase: Verifies the identity of the user/device
Authorization Phase: Determines what access the authenticated identity should receive

The core issue: The Endpoint Identity Group Blacklist feature only works in Authorization Policies, not in Authentication Policies. When using 802.1X with Active Directory authentication for wireless networks:

ISE first attempts to authenticate the user credentials
The device gets a password prompt during 802.1X negotiation
Only AFTER successful authentication does ISE check the Authorization Policy
By this time, the user has already seen and potentially interacted with the login screen

This is a design characteristic of how 802.1X works - it's credential-based authentication, so the authentication phase expects user input before the device identity can be fully evaluated.

So for this you can explore with the other method.

Configure the wireless SSID to attempt MAC Authentication Bypass (MAB) first, followed by 802.1X. This allows ISE to check the device's MAC address during authentication (before credentials are requested) and block blacklisted devices immediately.

Architecture Flow

Device connects → WLC attempts MAB authentication first → ISE checks MAC address
↓
If MAC is blacklisted → Reject immediately (no password prompt)
↓
If MAC is not blacklisted → Fall back to 802.1X → AD authentication → Success

Re: MAC Blocking During Cisco ISE Authentication Phase

schikannikov — Wed, 20 May 2026 07:50:31 GMT

Can you please tell me where this is configured?

Re: MAC Blocking During Cisco ISE Authentication Phase

Aref Alsouqi — Wed, 20 May 2026 08:23:43 GMT

Please try this and see if it works.

- Go to your interested authentication policy
- Add an authentication rule above the MAB common one
- Add the compound condition "Wired_MAB" or "Wireless_MAB" or both
- Add a new condition and select "Radius" from the list
- Add "Calling-Station-ID" condition
- Add the MAC address that you want to block
- Set the action of that rule to "Deny"

Re: MAC Blocking During Cisco ISE Authentication Phase

schikannikov — Thu, 21 May 2026 04:26:45 GMT

This does what I need! I did as you said (I attached screenshots to the message), and the device started getting blocked. My question is: is there a way to use a list of devices instead of just one MAC address?

Re: MAC Blocking During Cisco ISE Authentication Phase

Aref Alsouqi — Thu, 21 May 2026 09:40:37 GMT

Glad to hear it's working as expected. Tbh, I don't think there is a way to reference a list or an identity group in this case. However, one thing you could potentially explore would be to go through ISE endpoint groups and make sure none of the MACs that should be blocked are there, and then make sure that the option "If user not found" are set to drop as it shows on "2.png" screenshot on your authentication rule that would have "Permit" action configured.

In other words in ISE you can deal with MAB authentications in two ways, one way would be to say if a MAC doesn't already exist in ISE I want to block it from passing the authentication, and that's where you configure the "If user not found" option to drop. The other way which we usually use for guest traffic would be to say pass authentication of any MAC even if the MAC doesn't exist in ISE and that's where you set the option "If user not found" to be allow/pass. With this option ISE endpoint database will keep adding any MAC that would be seen by ISE for a first time.

Think about a guest portal that you configure where you want any guest to be allowed to go through the portal registration (or even a hotspot) and then connect to the network. In that case you would have two options, option one would be to get the MAC addresses of all guests ahead of time and that is a nightmare and it's not even practical or option two would be to allow any MAC to pass authentication and then restric accesses with the authorization rules. Option one here would need the option "If user not found" to be set to drop and option two would need the option "If user not found" to be set to allow.

Also, as a side note, passing authentication doesn't mean getting access to the network as you could see on your environment. You can see many customers deployments allow MAC addresses authentications but then restrict or deny them access to the network by the authorization rules.