You know what, I couldn't resist sharing some thoughts on this.
This Cisco feature is terrible.
At one time, it was on by default (don't know if it is now).
I've seen it cause horrible issues in certain environments. As we all know, clients tend to be unpredictable. In a couple of troubleshooting situations (warehouses mostly) I saw this cause instability and business impact. The fact was clients were triggering on the client exclusion. For example, handheld guns tend to reconnect and not send a DHCP. With some Cisco deployments, the result was guns being excluded due to "normal" behaviour. Consider other scenarios where the poorly engineered client fails to authenticate because, well it's poorly engineered (seen this too).
It causes more pain that gain. I'm not a fan.
A better way to exclude this from a security perspective, is get the auth server to lock out the account after a number of failures. BUT consider the engineering quality of your clients. Not all clients are created equal.