After extensive conversations with TAC, I have come to discover that you cannot rely upon the system to tell you if a rogue AP is on the network. This is true EVEN WITH AN AP CONFIGURED FOR OPEN AUTHENTICATION. I have tested this in-house with a rogue AP through which I could ping my trusted APs (same subnet) while it was briefly connected to our network (as in greater than 15 minutes) and the system does not detect that the rogue AP is on the network.
According to some extensive research on the part of TAC, that is the way it is SUPPOSED to function (MALfunction) unless you want to dedicate an AP as a scanner!
Maybe others have had better success and I would be interested to hear any other experiences pro or con. However, I have been told that this is the way it is supposed to work and the system may NEVER detect that it is on the network.
(not exactly as advertised...)