Do you have ClearPass ?, but if you don't there's other options.
If you want just block one mac address then all you have to do the following to blacklist that client :
(controller) #stm add-blacklist-client <client mac>
If you want to block several iPhones then you have to do the following :
- You can create a user-role that has a deny all and then you can force all the iPhones based on the dhcp option(fingerprint) to be blocked
1- You need enable logging level debugging network subcat dhcp and this will give you the dhcp options for the iPhones
Do a show log network all | include <mac address of the iPhone>
Apr 22 12:00:53 dhcpdwrap[3457]: <202536> <DBUG> |dhcpdwrap| |dhcp| Datapath vlan233: REQUEST 12:ac:bc:45:84:89 reqIP=10.10.33.10 Options 37:0103060f77fc
2- Once you have that you can create a derivation rule to put the iPhone on the user-role that denies everything
aaa derivation-rules user "test"
set role condition dhcp-option contains "37:0103060f77fc" set-value "deny-role" position "1" description "deny-iphone"