I have discovered that the 5508 that I recently installed is using the service port address when it sends TACACS and RADIUS requests to the ACS server. I have also noticed that I can only telnet or web into the controller through the service port address. I can telnet (and presumably web) into the controller through the management interface if I connect from a device within the same subnet as the management interface.
Under normal circumstances, this is not a problem, but it eliminates the benefit of dual homing the controller. I can configure the management interface with a backup port connected to a separate switch, but there is only one physical port for the service port. I have tested this. When the service port is down, I cannot authenticate clients.
A few notes:
The controller is running 18.104.22.168.
I don't have this with WISM and 4400 controllers running the same code level.
I can ping the management interface from outside the subnet. (not a routing issue)