WLC sends incorrect user name to RADIUS server when performing MAC authorization on MESH APs. From Configuration Guide and Release
notes:
http://www.cisco.com/en/US/docs/wireless/controller/5.2/configuration/guide/c52mesh.html#wp1578796
http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn4119235M.html#wp1004616
Both of them documents that the user name for AP1240, 1522, and
1524 are platform_name_string-Ethernet MAC address. The WLC
actually sends out MAC address of the AP to the RADIUS server
first. If the user name is not defined in the RADIUS server, the
WLC sends an access reject to the WLC. Then, the WLC uses
platform_name_string-Ethernet MAC address to the RADIUS server.
In a large MESH installation, some MESH APs fail to join. Change
the order of access request to platform_name_string-Ethernet
MAC address, MAC address (password lower case), and then
MAC address (password upper case)
Configure users with the MAC address of the AP in the external
RADIUS server