If you want to blacklist users on a per WLAN basis you can add the MAC address to the role associated with specific WLAN you want to blacklist them on (keep in mind that the Max Number of Filter Rules per Role is 64).
You need to make sure when creating the filter rule in the role for the client to set the 'In filter' and 'out filter' to 'both', and the 'Access Control' to 'Deny'.
If you use this method the client will still be able to connect to the SSID but they will not be able to pass any traffic. This may be a viable solution if you only need to blacklist a few clients.
If you need to blacklist more clients and need to do so on a per WLAN basis you would need to use some kind of authentication (MAC) and use NAC to blacklist.
I wondered why I did not recognize your solution. I am a Extreme IdentiFi ESE and this question was posted under the IdentiFi wireless heading. The below answer from Doug is our only solution as without that a blacklist entry blocks the entire system.