ACL should work regardless. The question is, what role do your users end up in? A user is required to have an ip address to get into the user table, so if you are blocking everything, they will not end up there.
I would type "show acl hits" to see if any users are hitting your ACL.
Also, confirm the role that users get when they associate. If they are in the user table, they got the wrong role. Also, do a "aaa user delete" to kick users off to start from scratch when you are testing.
Also turn on user debugging (config t logging level debugging user), then type "show log user 50" to understand what your users are doing...