You can use many available 802.11 test tools (e.g., Airmagnet, Airopeek, etc.) to find rogue access points, but these tools find the access points from the radio side of the network (i.e., look for access point beacons). This requires that you to be within range of the rogue access points. Of course that can be very time consuming if the company is very large or covers a wide geographical area. You have to walk or drive to each site (which may be impractical if the company spans worldwide).

Does anyone have any ideas on how to identify rogue access points from the wired side of the network?

I think it is difficult to find a complete and universal solution to this question.

What I would do in a moderate sized network, is to use a LAN scanner to identify all devices having an IP address. I assume that all access points have some proietary identifying information (this needs more research) and should answer to differenty probes.

This is part of a general analyzis of "rogue devices" in a network, and in theory shows all authorized and unauthorized devices. When you filter away all well-known devices--for example routers and switches by their IP adddress, normal PCs by their general characteristics etc., you should have a reasonably sized list of devices to check up manually.

I have myself occasionally used LanGuard Network Scanner from GFI software Ltd (www.gfi.com) for scanning a network for "strange devices." Price of that product is not horrifying: It's available in a basic freeware version for non-commercial use, and a beefed up profesional one for $99. But, for sure, there are so many suitable scanners which can do the trick. It still takes time if you have a huge network to scan... But it could be anyway much faster than visiting every location of a large network!

A number of companies are building rogue access point detection into their products, including Wavelink (http://www.wavelink.com), Colubris (http://www.colubris.com), AirWave Wireless (http://www.airwave.com), and AirDefense (http://www.airdefense.com), to name a few. I think you can expect to see this become almost standard on enterprise grade access points and access control systems over the next several months.