Hi,
This is a security design question. Methods using TLS tunnel like EAP-TTLS, EAP-PEAP,EAP-TLs, etc ... build a tunnel and then authenticate inside.
The WLC only reads information about the outer tunnel. usually the username there is "anonymous" or some other random username (=roaming identity). This username is not authenticated, it's just used to build a tunnel.
WLC cannot read what is inside the tunnel because it forwards it to ACS (or radius server). Only ACS knows the real username of the user.
So WLC/WCS cannot figure out the username unless you put an outer identity equal to the real username of the client
Hope this clarifies
===
Dont' forget to rate useful posts