Hi Salodh,

As before, I just find MAC address and assign it as "BLACKLIST" group, but I didn't define "BLACKLIST" policy, I think this is the reason for my failure.

Thanks a lot.

/Frank

I want to achieve this use case via REST APIs. Is there any suggestion?

@thomas Thanks for the suggestions. I have studied APIs you referenced, but have some confusions:
1) Does Endpoint Group with name "BLACKLIST" exists by default in ISE? If no, creating a endpoint group with name "BLACKLIST" is suffice? I mean there is no option available to set as an action for a endpoint group e.g action=deny/allow traffic, only naming a group "BLACKLIST" is enough?
2) Can we remove an endpoint from blacklist endpoint group? If yes, which APIs i can use?

3) Can i search endpoints by ip-address via APIs and get their mac-addresses ?
4)  What kind of authorization rule is required to make it work?

> Does Endpoint Group with name "BLACKLIST" exists by default in ISE?

Yes but it was changes in ISE 3.0 I believe to BLOCK LIST. You may create your own group to do the same thing.

> Can we remove an endpoint from blacklist endpoint group? If yes, which APIs i can use?

Yes. Delete the endpoint or change it's endpoint group. Which API resource you use depends on your approach.

> Can i search endpoints by ip-address via APIs and get their mac-addresses

Please see the Monitoring REST APIs for endpoint and IP based queries. You cannot do such a query for all known ISE endpoints today.

Session Counters
https://ise/admin/API/mnt/Session/ActiveCount
https://ise/admin/API/mnt/Session/PostureCount
https://ise/admin/API/mnt/Session/ProfilerCount

Session Lists
https://ise/admin/API/mnt/Session/ActiveList
https://ise/admin/API/mnt/Session/AuthList/{options}

Session Attributes
https://ise/admin/API/mnt/Session/MACAddress/{mac}
https://ise/admin/API/mnt/Session/UserName/{username}
https://ise/admin/API/mnt/Session/IPAddress/{nas-ip}
https://ise/admin/API/mnt/Session/Active/SessionID/{audit-session-id}/0

Others
https://ise/admin/API/mnt/Version
https://ise/admin/API/mnt/FailureReasons
https://ise/admin/API/mnt/AuthStatus/MACAddress/{mac}/{seconds}/{records}>/All
https://ise/admin/API/mnt/AcctStatusTT/MACAddress/{mac}/{seconds}
https://ise/admin/API/mnt/CoA/Reauth/{psn}/{mac}/{reauthtype}/{nas-ip}/{dst-ip}
https://ise/admin/API/mnt/CoA/Disconnect/{psn}/{mac}/<disconnecttype>/{nas-ip}/{dst-ip}

> What kind of authorization rule is required to make it work?

Have you looked at the ISE Default Policy Set and the Wireless Black List authorization rule in ISE? Like that but you do not need to limit it to Wireless Access.  See Static Endpoint Group(s) in ISE Authentication and Authorization Policy Reference .

This is a very similar issue we have... an android device lost with user AD credentials in it attempting every minute to authenticate and causing the AD user account locked out. I added the mac address to a deny rule at the top in the authentication policy... but still issue occurred.... and was able to confirm this in the Operations -> Live Logs when filtering the mac address.... so i opened a TAC case and this is what they told me: "
"ISE is not able to block by MAC address without affecting the user because the device is using user authentication as its method, so when it tries to log in and fails (because of the policy to deny that MAC address) then blocks the user too, affecting the customer's real user. From ISE there is no way to block a MAC address before starting the process of authenticating, thats why the customer needs to get the MAC address to be blocked from the network access device (WLC).
Since the issue is that the endpoint has set as authentication method user authentication, and we dont have access to that endpoint, we wont be able to block the MAC address without affecting the user."

Is this legit??