Obtain credentials by spoofing WPA/WPA2 Enterprise network?
This is one small part of a much larger answer to this question.....
One method of protecting against rogue access point is the use of rogue mitigation. There are multiple systems available which will allow a company to conduct scanning and deauthing of rogue wireless nodes. Some of these systems will actually allow you to upload a trusted device list (a company asset list) and block according to that list. Some are also able to correlate wired data with wireless transmissions to determine if the rogue AP is actually connected to your network or not.
For instance, if you have a worker's laptop and it connects to a spoofed corporate SSID, these sensors would be able to determine that a trusted asset is connecting to an untrusted device using a trusted network name (dona via mac addresses).
The fun part, if you see the device on your network, is using the same system to triangulate the location of the rogue device to track it down and see where it is plugged in to your network.
These methods also allow you to stay neutral towards any device that is not one of your company assets (which helps greatly from the legal side of things). You would only be targeting systems which are owned by your company or are connected to creating unauthorized connections to your corporate network.