In terms of the invalid IP appearing in the user table and firewall list, I don't find the valid-user ACLs (or any other) will help prevent this.
Broadly speaking this is because the controller MUST (even temporarily) add the session in deny state due to normal operation (assuming it's setup accordingly). So you still see it.
And actually, for what it's worth, I'm not a big fan of the DHCP enforce, although I do get what CJ is saying. Certain (very badly programmed) clients tend not to respond well to this I've found.
It's just something to understand and live with I'd say. It would be nice if the associated Android OS's didn't do it, but hey-ho!