If I have a Internet port connected directly to the controller, I assume the port ACL would be
any controller-ip UDP-4500 allow
That is all you need for RAP......any user traffic going back out will be allowed back in by the user role’s firewall policy, it will not be blocked by the implicit deny all you mention above.
vlan 10 OUTSIDE-INTERNET ! ip access-list session OUTSIDE-INTERNET any any svc-dhcp permit (required for DHCP) any any tcp 22 permit (use this to allow SSH to controller) any any tcp 4343 permit (use this to allow SSL/WebUI to controller) any any tcp 80 dst-nat ip 192.168.168.100 (use the following to host multiple web servers - this one is NAT only, no PAT) any any tcp 81 dst-nat ip 192.168.168.101 80 (this one is port 81 incoming then NAT and PAT to port 80) any any tcp 82 dst-nat ip 192.168.168.102 80 (this one is port 82 incoming then NAT and PAT to port 80) any any tcp 83 dst-nat ip 192.168.168.103 80 (this one is port 83 incoming then NAT and PAT to port 80) any any tcp 37777 dst-nat ip 192.168.168.99 any any any deny log ! interface fastethernet 1/0 description OUTSIDE-INTERNET trusted ip access-group OUTSIDE-INTERNET session switchport access vlan 10