I apologize. Make the ACL blocking http traffic to the controller's management port and allowing everything else:
ip access-list session block-http
any host 192.168.1.3 svc-http deny
any any any permit
Then, apply it as a session ACL to the controller's uplink port as a session ACL
config t
interface gigabitethernet "1/0"
interface gigabitethernet "1/0" ip access-group "block-http" session
Try to access the controller's management interface on http via that uplink port. You should not be able to. After that you can monitor the "hits" to that ACL:
(192.168.1.3) # show acl hits
Port Based Session ACL
----------------------
Policy Src Dst Service Action Dest/Opcode New Hits Total Hits Index Ipv4/Ipv6
------ --- --- ------- ------ ----------- -------- ---------- ----- ---------
validuser any any any permit 0 488 7727 ipv4
block-http any 192.168.1.3 svc-http deny 3 8 8449 ipv4
block-http any any any permit 59 200 8450 ipv4
This of course will only work for traffic that is traversing that uplink. If you have wireless users who's traffic terminates on that controller, it does not traverse that link, so you would have to block their traffic via user role.