From a management perspective, IAPs can only manage IAPs.
When you refer to "authorised AP" are you referring to the ability to manage it or are you referring to taking an AP that has been flagged as a Rogue and changing its flagged status to "Neighbor" or "Authorized".
IAPs do not require any SW licensing -- all features are built-in including Rogue detection and containment. The IAP can do containment on its own; however, if you are using it with a Mobility Access Switch (MAS) the MAS can also do containment. The IAP will tell the MAS the BSSID (MAC) of the Rogue then the MAS will disable the port and PoE where the Rogue is connected (on access port) or blacklist the MAC of the Rogue plus any clients connected to the Rogue (on Trunk ports).