9800 doesn't officially support support DACL's yet. Please refer the enhancement bug

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv16183

You might be able to get it working since controller itself is running IOS-XE code, but however it is not officially supported and caused behavior which might impact other primary functions of WLC.

Yes, i know about the bug. Is there any solution to restrict or deny some IPs for WIFI users.

WLC controller IOS-XE C9800.

ISE 2.7

You must create the ACL in WLC, and then make sure that is pushed to AP's via making required configuration changes in Flex profiles.

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213920-central-web-authentication-cwa-on-cata.html#anc23:~:text=of%20the%20rules.-,Flexconnect%20Local%20Switching%20Access%20Points%20ONLY,-What%20if%20you

Flex Profile >> Policy ACL

Also Make sure that you are running Cisco recommended IOS-XE codes as some older and short-lived codes have limitations with regards to Radius implementation. 

Refer the below post which is very helpful as well.

Solved: WLC C9800 AirSpace ACL does not get applied - Cisco Community

Yes, now the issue how can i call the ACLwhich created on WLC by ISE.

Also the ACL to deny some application, not for redirect "i have to do a check mark for central web"

Thanks Arshad, but still unable to apply the ACL and user has all permit access.I attached the configuration based on your recommendation.

Appreciate your support, the WLC ACL in place and ISE use the same ACL "airespace ACL name".

any idea

Hi Islam,

Yes, ACL name and the Airspace ACL name must be same. You can do a radioactive trace from 9800 WLC to see what parameters ISE is sending and how the client is reacting to it. Alternatively, you can also do a PCAP to confirm radius messages are sent with the required parameters.