The present disclosure is related to systems and methods for detecting and disabling operations of access point impersonators in a network. In one aspect, a method includes receiving, at a network controller of a network, beacon reports from a plurality of access points; determining, by the network controller, one or more target areas with at least one potential access point impersonator operating therein; sending, by the network controller, on-demand beacon requests to one or more of the plurality of access points with corresponding coverage areas overlapping with the one or more target areas; receiving, at the network controller, responses to the on-demand beacon requests from the one or more of the plurality of access points; and determining, by the network controller, at least one access point impersonator based on the responses.