Wifi authentication frames aren't encrypted, so you can craft bogus de-auth packets to disconnect clients. This has a lot of uses - you can DoS a client indefinitely, force them to reveal a hidden access point when reconnecting, or force them to disconnect and then reconnect to a rogue access point.
