Security

Yes, or "enforce dhcp" in the AAA profile.

I was under the impression 'Enforce DHCP' simply prevented statically assigned IP addresses?  This is not the case here as both device got the address from the DHCP server, but the controller failed to acknowledge the disconnect/release in time.

The odd thing is, under the client list in the GUI, the entry for the IP address that my device had been given, showed my access point, but the other user's name and device.  Is this a bug?

If you have a user that is getting another device's ip address via DHCP, I would make sure that your DHCP lease is at least 15 minutes long to prevent that.

Enforce DHCP only allows a device that gets an ip address from a DHCP conversation that the controller has seen to enter the user table.  The controller does not use a DHCP release in any DHCP enforcement.

I do not have your logs, so I cannot comment on the display being a bug.  If you open a case with TAC they might be able to provide clarity.

The lease is set to 1 day.  The issue is that the user is not removed from the list of users on the conrtroller quickly enough once it disconnects.  This allows a different client to legitimately re-use the IP address, but not be able to connect through the controller.

What is the output of "show aaa timers"? 

Global User idle timeout = 3600 seconds
Auth Server dead time = 10 minutes
Logon user lifetime = 5 minutes
User Interim stats frequency = 300 seconds

how do you change the AAA fast age? I could not find anywere.

config t

aaa user fast-age