Hi,
There are no direct options to block a MAC address from only one AP. But you can configure an ap-specific for the single AP, map a cloned AAA profile, apply a user-derivation or server-derivation rule, and assign that user a "denyall" role. This may be a lot of work, but I don't think there is an easy way to just blacklist the user.
Thanks,
Rajaguru Vincent