ACL Redirect in IOS/ASA/WLC

Question to KB.

in case of Wired CWA.

I have read a lot of documents and confuse why they configured Deny first then permit.
Example :
Redirect ACL
deny udp any any eq 53
deny udp any any 67
deny ip any host ISE
permit tcp any any eq 80
permit tcp any any eq 443

Can we configure it directly?
Redirect ACl
permit tcp any any eq 80
permit tcp any any eq 443
deny ip any any (implicit )

What I understand is that

in IOS/ASA ,
Permit mean – Mean Redirect
Explicit Deny in first Redirect ACL – mean NO Redirect

so what is different between Implicit Deny and Explicit DENY ?

In case of Wireless CWA

in WLC
is there any Implicit DENY in WLC like ASA/IOS Scenario ?

what i Understand -
DENY == Redirect
Permit == No redirect or BLOCK

Please your support in this area

The Redirest ACL is downloaded to the Network Device (Switch or WLC). It specifies the traffic that will be redirected towards ISE. The reason for the Deny statements in the Redirect ACL is to tell the Network Device not to redirect the specified traffic. The Deny is for traffic that will allow the End point to get on the network like DHCP/DNS and any traffic that is destined to ISE. If any other traffic comes in, it should redirect it to ISE. Once the authentication takes place, the CoA will override the Redirect ACL. The way you have written it, will only redirect the web traffic and permit the other traffic to go thru without any check.

I could not get this statement. Permit other traffic without any check.

Both ACLs should work