Nightshade1,
just to confirm for you, If you use the native AAA functions of the switch (dot1x, mac-auth, captive-portal, udr) than you get visibility at the switch level and nothing at the controller since they don't need to be connected to one another. If you have airwave, we also send the user visiblilty there.
If you use tunnel node from the switch, all the user visibility as well as the AAA functions are handled by the controller. This is what you would see as an example.
(host) #show user-table verbose
Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name Server Vlan Bwm
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ---- --------- ------ ---- ---
22.1.1.1 00:00:00:00:00:01 aa 00:00:00 tunnel 10 Wired 172.16.10.11:gigabitethernet0/0/0/00:0b:86:6a:24:00 aa tunnel 200 (200)
22.1.1.2 00:00:00:00:00:02 bb 00:00:00 tunnel 10 Wired 172.16.10.11:gigabitethernet0/0/0/00:0b:86:6a:24:00 aa tunnel 200 (400)
22.1.1.3 00:00:00:00:00:03 cc 00:00:00 tunnel 10 Wired 172.16.10.11:gigabitethernet0/0/0/00:0b:86:6a:24:00 aa tunnel 200 (500)
User Entries: 3/3
Tunnel-Node is purely a data plane function as opposed to a control plane function. Said another way, while the switch can tunnel traffic back to a controller, the switch is not managed by the controller. You have to manage it independently or via Airwave.
Best regards,
Madani