Hmm, ACL's on switches with dot1x are only used for inbound traffic seen from the switch perspective, and they are also stateless, i suppose you could block by blocking traffic from the endpoint with 3389 as source port, which would be the response packet from the endpoint when someone tries to connect to it on port 3389 (RDP). On wireless you can do outbound ACL as well as inbound in the same ACL, so you can just block 3389 connection in the outbound direction. For switches the DACL is created and sent from ISE with your authorization profile, for wireless the ACL has to be created in the WLC, and only the name of it is sent from ISE.