Most wireless vendors have a way to determine if rogue access points are actually connected into the wired LAN. Cisco's WCS has the ability to track a rogue access point on the LAN via RLDP, but it has been problematic for quite some time. Kicking off the RLDP search is a manual task for every rogue SSID that is detected by WCS. There simply isn't a way for WCS to auto scan the rogue SSID to ensure it isn't cabled into the LAN. This makes it hard to determine if rogue access points are wired into the LAN or not. Unfortunately enterprises where PCI compliance is mandated, the manual scan will have to be run on every rogue SSID..
PCI DSS version 1.2 places special emphasis on WLAN security. It requires Cardholder Data Environments (CDE) change wireless defaults (passwords, SSIDs, keys, etc.), use strong encryption, eliminate rogue/unauthorized wireless devices, restrict physical access to wireless devices, log wireless activity, define wireless usage policies, etc.For all other enterprise deployments not requiring PCI compliance, the fear of rogue access points being connected to your LAN may be overblown. Today there are a multitude of choices for personal hot-spot devices. Most Wi-Fi power users have their own MiFi, Clear, Cradlepoint or hot-spot functionality enabled on their smart phone (or all four!). I think it would be very unlikely for an employee wanting unsecured/unfiltered Wi-Fi to bring/buy a Linksys/D-Link AP and plug it in at work. It is more likely that they would just use the web browser on their smart phone, or use a personal hot-spot Wi-Fi device to connect laptops to their personal, unfiltered Wi-Fi network. I think that the days of people bringing an access point from home and plugging it in at work are over
I've seen many an end user in their cubicle using the unfiltered internet connection on their smart phone to surf Facebook or Twitter, while their work PC is connected to the locked down LAN or WLAN network connection. The idea that the regular end user would bring an access point from home is increasingly unlikely. Physical security to your LAN is always the first step towards securing your network, but the average enterprise wireless user will just use their smart phone to surf the web.