and the full answer from an old post here:
When a client is connected to the controller, the blacklist time is obtained from the Virtual AP that the client is currently connected to. If the client is NOT in the user table, the blacklist time is then derived from the "ap ap-blacklist-time 0" that you mentioned.
Type "show ap blacklist-clients" when you do a blacklist to see who is blacklisted and how much time is left.
Cli needed commands:
stm add-blacklist-client <MAC>
If you blacklist a client while they are not associated, the blacklist time comes from the controller rather than the VAP profile. To permanently blacklist those clients, first add the following to each controller config:
ap ap-blacklist-time 0