I have a autonomous solution of about 20 AP's which is working fine. The Authentication method is PEAP-GTC using the funk Odyssey client to ACS v3.2 and RSA server.
I migrated the solution to the centralised unified lightweight solution and all looked well, AP's registered with the controllers and clients authenticated through the unified solution no problem and you could see the passed authentication in the ACS log with the WLC address as the NAS. However once all AP's were converted to lightweight the clients restarted they stopped authenticating and no pass or fail was recorded on the ACS.
I found that if a client initially authenticated to an Autonmous AP and then roamed to a lightweight AP that worked fine, but clients could not do a cold authentication through a lightweight AP. I turned authentication off on the WLC and then clients can associate fine. I debugged the roam authentication and then the cold authentication as far as AAA events went and could not see a difference, the WLC reported a send and challenge response from the RADIUS (ACS) server in both cases, but only in the roam was a log reported in the ACS pass or fail.
I have attached a word doc with the logs.
and a jpg of the client details as shown on the controller.
I have rolled back to the autonomous solution, and will have another attempt very soon.