Weird, this topic just came up yesterday. Sounds like this sort of thing definitely does happen in the wild: wifi "monitoring" systems that forge deauth packets as if they came from your AP, causing stations to disconnect.
(There are new 802.11 standards that provide for signing your management frames, which would prevent this attack on devices which understand the new standard. Not sure if anyone implements it yet.)
ssh+2FA to all your machines, anywhere, without opening firewall ports.