Now I knnow what I am looking for so I created a syslog alert to e-mail me the message, I found in the last 12 hours, 30 APs came up with "AP-Group is not present in RAdius server". All errors were from one 7220 controller, different from the other controller. All APs are campus in tunnel mode.
So the problem is random, it can happen to any controllers. Unlike I said before, the problem is not just with bridge-ap but also with APs in tunnel mode. It seems like AP drops clients when it is in bridge mode.
So, what is CPPM radius doing with the AP-group, and mac-address username? I do have one service that requires MAC-AUTH.
Thanks,
#7220