The AP impersonation alarm is triggered by an snmp trap sent by the WLC. The trap sent is:
This happens when a radio of an authenticated access point has heard from another access point whose MAC address neither matches that of a rogue nor is it an authenticated neighbor of the detecting access point.
On aggressive environments, a helpful feature is to enable access point authentication with a threshold of 2. This enables you to detect possible AP impersonation and minimize false positive detections.
This is how to configure it from the CLI of the Wireless Lan Controller (WLC):