"...do you have a suggestion (besides NAC) for pinpointing a rogue access point on a lan from the wired side?"
Finding rogue AP's from the wired side is tricky. You can try scanning for them using Nessus or NMap, but I've had only limited success with these techniques. This is because the typical wireless router you get from Best Buy today isn't going to give up enough data for Queso TCP fingerprinting or banner grabbing to work if the 'outside' interface is plugged in to your network, which is pretty much required in order for it to work.
If the AP is just an AP (like my Linksys WAP11) and not a NAT router (like my Linksys WRT54G), then NMap or Nessus may work for you. Using your switches is another good way to find it - look for multiple ARP entries with a single MAC on any given switch port. There may be 'switchport port-security' features on your Cisco IDF/userland switches that can prevent regular APs from serving more than the first wireless client as well. Probably depends on the switch's IOS version and the AP's behavior.
You can also do things like dump ARP/CAM tables from your switches and match the first part of the MAC address against the IEEE database looking for manufacturers like Buffalo, Linksys, D-Link, TI, etc.
This works with AP's and routers alike, and is probably a good idea to do on any network without EAP/NAC, especially if you've standardized your workstations so you know all the NIC's are from just one or two OEMs, so anything else is worth tracking down.
However, I think that the best way to find rogue AP's is via wireless signal. Using something like the features built in to the Airespace/Cisco systems, a wireless IDS like AirDefense, or even just regular site checks with a laptop and Kismet (or a PDA and PocketWarrior) will yield the best results.