I would like to add something on the detection of rogue AP, working as a security engineer on a large network I find this a very difficult task.

Because wardriving all the offices is to time demanding I've been looking into some other ways of finding rogue APs. First step is to look through all MAC tables of the switches (and DHCP servers) to see if Wireless MACs can be found, but not all APs can be identified by its MAC address.

I beleive that the real challenge starts here: How can you find the rest of the roque APs?
At the moment building a scanner that can Identify rogue APs by performing OS fingerprinting (hping), Banner grabbing, etc. When we first ran this scanner it picked up loads of roque APs, but again this is only best effort. I still see ways were rogue APs are not picked up by such scanners.

For now the only sollution I see from protecting networks from rogue devices is 802.1x (more ...) , but that is not quite here yet.

Anyone suggestions how to improve rogue AP detection?