There are multiple options to block a client.
- Blacklist; however in most cases this blacklist is not permanent
- For a dot1x network just deny the RADIUS request
Open networks and networks with MAC authentication are a little bit difficult but it's possible to block a client on this network.
The trick is to assign a denyall role to the device you want to block.
First create a denyall user.
user-role denyall
!
It's just a dummy user without any ACL.
The second step is to assign the user-role to the device.
If the network isn't using MAC auth (open network without MAC caching) then you can use a user derivation rule to assign the role.
aaa derivation-rules user blockuser
set role condition macaddr equals 00:11:22:33:44:55 set-value denyall
!
aaa profile guest-aaa_profile
user-derivation-rules blockuser
!
Make sure you assing the aaa profile to the virtual AP profile.
For networks with MAC auth (to ClearPass) you can create a rule within ClearPass to return the denyall user-role for the device you want to block. In that case it's not needed to user the derivation rule.