Discover rogue wireless APs?

I haven't had much time to experiment yet, but anybody got an idea for a
way to discover a consumer wireless AP that has been inserted into the
network.

Reason: We had a semi-techie worker in the plant bring his own AP to work
so that he could roam around his area with his laptop. Not a bad idea if
it helps productivity and as long as IT knows about it - which we didn't.
Of course, it had no security set up and was wide open.

Unfortunately his boss and the plant manager can't understand why we are
so upset. They are assuming that we are mad because we have been bypassed
and might not get credit for a good idea. Trying to explain that the
worker has bypassed several thousand dollars worth of firewalls and
security appliances between us and a really nasty world gets nowhere. It
just isn't a big deal to them. At least it wasn't until we disabled the
ethernet port serving his desk.

That incident is fixed, but I am starting to research just how to
autodiscover this the next time it happens. Physical search is out of the
question - the place is far too big. At the far end of the spectrum,
issuing connections based on logged MAC addresses would work, except that
it would be a major administration pain, so that is totally out of the
question. And what happens when some real techie turns his machine into a
PC based accesspoint? Pink slips would help some, but that is not our
call.

Anybody?

Overt
.