If you want users to authenticate with LDAP / Active Directory, wouldn' t it be better to use WPA2 Enterprise with 802.1x? Have a read on the wireless guide at http://docs.fortinet.com/d/fortigate-deploying-wireless-networks-2 for more info.
That is far more secure and does not require user intervention.
Also for Rogue AP, monitoring the AP' s in the area is one thing, but be sure to whitelist any known good AP' s for neighboring people or companies before turning on any blocking of rogue AP' s, or else you will not win any friends from your neighbors when you bring down their wireless network. :)
--
Sean Toomey, CISSP FCNSP
Consulting Security Engineer (CSE)
FORTINET— High Performance Network Security