You are correct but which attributes of 802.1x have mac of user ?

If he use mab then username is mac and he can use it to bulid blacklist but for 802.1x I think he need command in NAD to send mac of user as attribute with 802.1x radius traffic.

The MAC address is not required to be used for authentication, you implement this blocklist during authorisation where the authenticating user is connecting from a MAC address that is a member of the blocklist endpoint identity group and subseuqently denied access.

How ISE know mac address ? 

@MHM Cisco World the MAC address is learnt via DHCP or RADIUS. ISE uses the MAC address to create an entry in the Endpoint database. You do not need to use MAC authentication (MAB) to block a client. When processing the connection, ISE will know the endpoint MAC address and authenticating username (amongst other attributes), the MAC address can be used as a condition in an authorisation rule, usually when referenced in an endpoint identity group (as per the example provided), you can then deny/permit as required.

@tonyang another option (if required) you could create an AD group called i.e., "Blocked Users", then create an exception rule that denies users connections if a member of that group.

Thank you, Rob.

May I ask how to define the condition for an exception rule ?

@tonyang just create an authorization rule (as per the example provided) under either the Policy Set Local Exceptions or Global Exceptions, these rules will be processed prior to the Authorization Policy.

@Rob Ingram I see where I need to define in local/global exception. But I want to consult with you how to define the condition.

I just created one security group "Workstation Deny Group" in AD. Thank you.

@tonyang you don't actually need to use the "Security Group", that's only if you are using TrustSec SGTs for enforcement.

In closed mode a deny should suffice, if in open mode then you could just apply a DACL to restrict traffic.

Thank you, Rob,

I just implemented one local exception to manage the blacklist. And it works smoothly in my environment. I am wondering if I can have alternative to do. Like use AD group (security group) to manage/control.

Thank you, Rob.

I implement the block list in the authorization policy. I just implement radius protocol in the authentication policy. And move the block list to the top among multiple authorization conditions.

@tonyang yes you can (I did already previously suggest that as another option).

Create a group in Active Directory add the user or computer (if just using machine authentication) import that group into ISE. Create the block authorisation rule to reference that ExternalGroup and set deny access (and if necessary a DACL).