My controller shows client’s (smartphones and windows devices with features such as VMware) with the same MAC address but multiple IP addresses (and I know some are invalid)

This happens when packets sourced by the secondary adapter (such as a smartphone’s 3G radio, or a VMware interface on a server/laptop) and follow the default route through the WLAN.   The controller creates a “user” record for the unique IP/MAC pairing, but this can cause some confusion.

You can resolve this by adjusting the “validuser” ACL to restrict addresses you expect to be “valid” upon your WLANs.

ip access-list session validuser any any any permit

This firewall rule controls which users will be added to the user- table of the controller through untrusted interfaces. Only IP addresses permitted by this ACL will be admitted to the system for further processing. If a client device attempts to use an IP address that is denied by this rule, the client device will be ignored by the controller and given no network access. You can use this rule to restrict foreign IP addresses from being added to the user-table. This policy should not be applied to any user role, it is an internal system policy.”

if you only want your users to get ip addresses from 192.168.x.x, you configure the validuser ACL lke this:

config t

ip access-list session validuser

any network 192.168.0.0 255.255.0.0 any permit

any any any deny