kdisc98
A station can have up to 4 x IPv4 addresses and 2 x IPv6 address associated with it (i.e. user-table entries) without any problem. This is not to say that when your problem client ends up with a 2nd ipv4 address that it's not the trigger for some problem, but the controller does support the notion of multiple IP addresses per user.
Causes of multiple IP per user can vary; moving across vlans will cause it to appear shortly, as do some mobile devices which leak 3G/4G addresses into the wifi side. Some Windows devices do sometimes exhibit some odd bridging behaviour where if they are connected to wired and wireless at same time they can leak wired side addresses into the wifi even if bridging is disabled.
Most common way to filter against this is to use the validuseracl to allow only your desired subnets. AAA fast age can help also, as does disabling of ipv6 if you dont wish to support dual stack (not in your case though, the implcation seems to be multiple ipv4)
Enforce DHCP can sometimes be problematic - if the client wakes up and the user entry has idled out on the controller user-table but the DHCP lease is still very fresh and the client doesn't try renew the lease, then your user will get stuck (traffic dropped by the controller since no user entry and enforce DHCP enabled). Most (some?) clients will trigger a DHCP request after waking up and reconnecting to the wifi, but I have seen some clients not do this. Perhaps try disabling enforce DHCP for a while and/or review your DHCP lease time vs. the aaa user idle time in the controller.
regards
-jeff