Security

A user connected his smart phone to the “Guest” SSID (no authentication for this) and get a Guest IP address. He also connected his company provided laptop to the “Employee” SSID with machine+user authentication and get Employee IP address. Later the user tethered his smart phone to his laptop trying to access Employee resources on the smart phone. When the two machines are tethered they are seen, by the distribution router where the controller is connected to, as only one MAC address with two IP addresses. The distribution router shuts off the ports that are connected to the controller to avoid a loop. The APs lost connection to the controller resulting in wireless network outage.

Is there any log in the controller that shows what happen? Is there any feature that can be enabled/configured in the controller that can avoid this in the future?

You created a l2 loop. STP turned off the port as I would have expected. You could turn off STP on the port but not really a recommended practice since your users could created a loop and bring down the wired & wireless network. 

I think your going to have to educate your users (no easy task). 

That is right the switch was seeing BPDU and it shut off the port leading to the controller. In my reading I found out that the controller IDS has "Windows Bridge Detection" (turned on by default) so that APs can listen to BPDUs from wireless clients. On the other hand "Windows Bridge protection" is NOT enabled by default. I am just thinking turning on "Windows Bridge protection" may help. Any idea?

Command:

ids unauthorized-device-profile protect-windows-bridge

If you enable "Windows Bridge Detection" it will disconnect the client, but would not bring down your network. 

I'd turn it on and monitor to see how it works.