For RAP-2, RAP-3, RAP-5, and newer generation APs (those that do certificate authentication), they do not require the ACLs you mention. If you have a campus AP that you want to be a RAP, whitelist it and when provisioning it, choose Remote AP (yes) and certificate authentication. You should not have to create any ACLs for this to work.