after reset the AP 420 to factory-default settings.and try to connect using web shell I get access denied.
If the AP was cloud managed before, it might be pulling down it's config very quickly -- are you able to use the config password you provided in WiFi Cloud?
If this is what's happening, the article here shows what FQDNs to block in order to prevent the AP(s) from getting that config.
WatchGuard Customer Support
I had run into that over and over and over again - until I block the AP420 from talking to the outside at all (deny 'any' at the edge). After about 7 to 10 minutes it will look for the WLC in your firebox (2529udp) and you can configure it from there. Once done, assign an IP to the AP and it no longer tries to access the Cloud system. It seems that it wants a static...for some reason if they catch the IP via DHCP even with a reservation they try to talk to WG Cloud.
1 - get the MAC of the AP and create a reservation for that AP
2 - create a deny policy for the IP in question
3 - keep trying over and over to discover the AP in the WLC.
Now that I look, I have all of my AP's blocked from talking to the internet at all. The license update does not seem to need it either. I created an alias for all of my AP's at the given facility and blocked them all from the web.