I like what they came out with at BlackHat. It deauthenticates current users and grabs the SSID and MAC from the users when they try to reconnect. Why meddle with management frames when the clients themselves can tell you everything? Then you just clone and you're off and running.
The sent a packet of this type.
Disassociation frame: A station sends a disassociation frame to another station if it wishes to terminate the association. For example, a radio NIC that is shut down gracefully can send a disassociation frame to alert the access point that the NIC is powering off. The access point can then relinquish memory allocations and remove the radio NIC from the association