Recently discovered something about containment: Containing an existing rogue client will only prevent it from reconnecting later. It does NOT knock off the existing client from the AP.
Containing a rogue AP will only prevent NEW connections from being made (i.e.: roams, re-connections, etc.)
Maybe this was commonly known, however it was news to me.
Isn't there any way to bump an existing client off the system?