There's a limitation (stated below in Cisco's documentation) that FlexConnect ACLs in Cisco WLC cannot be combined in the same WLAN with local mode ACLs. The GUI allows the entry of a local mode ACL in the Interface tied to the WLAN and also a separate FlexConnect ACL in those APs that are in FlexConnect mode under the VLAN-Mappings section. This seems contrary to the restriction. Does the FlexConnect AP ignore the local mode ACL on the WLAN and just use its FlexConnect ACL or is the behavior something else to back up the statement below? I really don't want to have to create separate WLAN's just to handled the FlexConnect ACLs.
FlexConnect ACLs cannot be combined with Local mode ACLs on the same WLAN. If ACLs are needed for both FlexConnect and Local mode APs, you can apply two different WLANs to support the use of ACLs in both operating modes (one WLAN for FlexConnect APs and the other WLAN for Local mode APs).
Reference: Configuring FlexConnect in Cisco Wireless LAN Controller Configuration Guide, Release 7.2
Best Answer
I don't have anything on 7.2 still so I can't give you a definitive answer on your question. However, what I can say is that if you take the letter of the documentation as law and presume that you cannot combine FlexConnect and Local ACLs on a single WLAN, and you really don't want to create multiple WLANs, what I know you can do is use central switching on FlexConnect APs to apply local ACLs.
We actually do this for our Web Authenticated guest network. Yes, traffic on this network must transit back to the location of the WLC, but it was the best solution for us at the time of implementation.