"Blocking detected rogue access points" this is a very sensitive topic as this is illegal in certain countries. Rogue Access point containment if done, must be done very carefully and preferably manually. In order for you to have a well working containment scenario you need to have the proper AP's (AP's with RF ASIC) or dedicated monitor mode AP's. If not best effort containment will be provided by client serving AP's when it goes off-channel. Also if you are deploying monitor mode AP's the AP positioning must be considered as well.
Why we need to do rogue ap containment?
There are many reasons, the most prominent one is to avoid evil twin AP's impersonating your wireless ssid's, avoid unauthorized AP connected to your LAN extending your wired LAN access, then there might be a business requirement where you have to prevent anyother AP's working in your premises, security policy demands etc.
How it works? Different vendors use different mechanisms, Cisco prominently use deauth broadcast spoofing rogue ap bssid source, deauth unicast spoofing the rogue ap bssid as source and destination client mac and also spoofing client mac sending deauth to rogue AP.
How effective? Certain newer clients simply ignore the deauth's and disassoc's when sent by the WIPS. In my extensive testing with numerous BU engineers we noticed that Cisco be default uses deauth frequency of 500msec contain rogue client at Auth phase, but this is not sufficient to effectively contain as client either ignores this or reassocaite very quickly. So we tested with lower values and we found 150msec to be somewhat working, but still not perfect.
So test this in your own environment and keep in mind this will work only if you have the correct infrastructure. If possible try to migrate to WPA3, but considering client support and the WLC side undiscovered bugs due to less usage this might be a challenge.
