There is a rogue AP enforcement feature between Instant APs and the Mobility Access Switch. When an IAP detects a Rogue AP, it can signal the Mobility Access Switch to search through it's MAC-Address-Table for the Rogue in question. When it is found it will shutdown the port if it is an access port or discard packets from that MAC address if it is found on a trunk.
We are investigating adding the same capability to Campus APs. If you have think this would be beneficial, I highly recommend submitting the request to the idea portal.
https://arubanetworkskb.secure.force.com/cp/ideas/ideaList.apexp
Best regards,
Madani