I was just browsing around a bit and i stumbled onto this little exploit in the lightweight access-points.
If you have a Wireless LAN Controller (WLC) the LW-AP's will broadcast unencrypted information about the WLC. This enables the hacker to set up a rogue AP's troughout the network. This is a security risk because then the hacker can sniff all the traffic going trough the network.
Cisco doesnt have a solution for this yet.
The only thing you could do for now is monitor your WLC and check the MAC address/amount of AP's registered to the WLC.
It's really interesting to know such news as this lightweight technology is relatively new. It seams that the WLCs IP is broadcasted during what is called a hunting process were APs try to gather as much WLCs IPs as possible inorder to join one of them. It's worth saying here that Cisco WLCs have some rouge AP protection features that can be configured through it's GUI interface. At least that's whats apparent from the CCNA Wireless official guide.
I'm getting one WLC2006 soon, so I might test this thing as well 8)