1. Microsoft Active Directory is used for authentication.
2. I need to disable MAC addresses for the wireless network.
3. Desired result: completely reject the device's connection attempt.
4. ISE version 2.2.0.470.
5. The MAC address, while blacklisted, attempts to authenticate but is unable to complete due to an incorrect password.
I need to prevent the password prompt from appearing.

Cisco ISE processes network access in two sequential phases:

1. Authentication Phase: Verifies the identity of the user/device
2. Authorization Phase: Determines what access the authenticated identity should receive

The core issue: The Endpoint Identity Group Blacklist feature only works in Authorization Policies, not in Authentication Policies. When using 802.1X with Active Directory authentication for wireless networks:

• ISE first attempts to authenticate the user credentials
• The device gets a password prompt during 802.1X negotiation
• Only AFTER successful authentication does ISE check the Authorization Policy
• By this time, the user has already seen and potentially interacted with the login screen

This is a design characteristic of how 802.1X works - it's credential-based authentication, so the authentication phase expects user input before the device identity can be fully evaluated.

So for this you can explore with the other method.

Configure the wireless SSID to attempt MAC Authentication Bypass (MAB) first, followed by 802.1X. This allows ISE to check the device's MAC address during authentication (before credentials are requested) and block blacklisted devices immediately.

Architecture Flow

Device connects → WLC attempts MAB authentication first → ISE checks MAC address
↓
If MAC is blacklisted → Reject immediately (no password prompt)
↓
If MAC is not blacklisted → Fall back to 802.1X → AD authentication → Success

Can you please tell me where this is configured?

Yes

This does what I need! I did as you said (I attached screenshots to the message), and the device started getting blocked. My question is: is there a way to use a list of devices instead of just one MAC address?

Glad to hear it's working as expected. Tbh, I don't think there is a way to reference a list or an identity group in this case. However, one thing you could potentially explore would be to go through ISE endpoint groups and make sure none of the MACs that should be blocked are there, and then make sure that the option "If user not found" are set to drop as it shows on "2.png" screenshot on your authentication rule that would have "Permit" action configured.

In other words in ISE you can deal with MAB authentications in two ways, one way would be to say if a MAC doesn't already exist in ISE I want to block it from passing the authentication, and that's where you configure the "If user not found" option to drop. The other way which we usually use for guest traffic would be to say pass authentication of any MAC even if the MAC doesn't exist in ISE and that's where you set the option "If user not found" to be allow/pass. With this option ISE endpoint database will keep adding any MAC that would be seen by ISE for a first time.

Think about a guest portal that you configure where you want any guest to be allowed to go through the portal registration (or even a hotspot) and then connect to the network. In that case you would have two options, option one would be to get the MAC addresses of all guests ahead of time and that is a nightmare and it's not even practical or option two would be to allow any MAC to pass authentication and then restric accesses with the authorization rules. Option one here would need the option "If user not found" to be set to drop and option two would need the option "If user not found" to be set to allow.

Also, as a side note, passing authentication doesn't mean getting access to the network as you could see on your environment. You can see many customers deployments allow MAC addresses authentications but then restrict or deny them access to the network by the authorization rules.