Identification of a Rogue AP by Air Marshal is based on the MAC addresses used by the device. Comparison of the MAC address is made between the one in the BSSID and MAC addresses on the wired network. If the MAC addresses are close enough then it is flagged as a Rogue. More detail on this is found in the 'Rogue SSIDs' section in this document, https://documentation.meraki.com/MR/Monitoring_and_Reporting/Air_Marshal. So Air Marshal can only work with the information it has. It is entirely possible that in an Enterprise class access point like the Aruba devices the MAC addresses for the wireless and wired sides are very different, thus making it difficult (if not impossible) for Air Marshal to detect the Rogue. (I would imagine this would be the same with most Rogue detection systems). You may need to capture the MAC addresses on the wired network and the BSSID to see if Air Marshal should be being triggered or not. Its worth understanding how the mechanisms work and their limitations, and this may well be one limitation. Its also worth understanding what you are trying to prevent. In this scenario you should catch an employee who is either inadvertently (or maliciously) connecting a basic AP to a network, but you're not going to stop a dedicated professional with the right gear - but you should still be able to spot a Rogue AP broadcasting your SSID. If this is a concern you can also look at features like Sticky MAC on the switch ports to limit the number of MAC addresses that can be learnt by a port (although, again, make sure you understand the operation of this feature and its impact).
... View more