Controllerless Networks

I have a user account that keeps getting locked out in our domain and I am finding the failed logon attemps from our aruba instant environment (this is at a location where the user does not work) within the domain controller for the site. I see the following messages in event viewer:

Event IDs: 6273; 4625; 4776  ( I will attach screen shots of content )

All these events happen at the same moment and the only source I see is the ip address of our virtual controller. Aruba IAP environment consist of IAP-225's running 6.4.0.3-4.1.0.1_45063.  I noticed in the event id 6273 it references a "called station" and "calling station". The called station is showing the mac address of one of my AP's but the calling station is just showing as a samsung device. I have blacklisted this mac address but I can still see this event happening in the logs. 

Any help would be appreciated in hunting down this device. The lack of reporting on the instant environment is proving dificult but I am sure there is a trick I am missing to hunt this down.

I wish but I do not.

AGarner,

The output of "show ap bss-table" on the commandline of the Virtual Controller should show you the list of called-station-ids that are in a virtual controller.  You should be able to compare that to the called-station-id in the radius authentication request to figure out what AP is being authenticated to:

http://www.arubanetworks.com/techdocs/Instant_41_WebHelp/InstantWebHelp.htm#CLI_commands/show_ap_bss_table.htm

So I have blacklisted the mac address of the device causing the lockouts within the aruba configuration but the lockout is still occuring. How is this possible?