I never tried to spoof mac adresses on tha AP, but i think the way Mac spoofing is handled depends on the AP itself. But since many AP are linux based i guess they will behave similar.
. The only issue is, if the other guy powers back up, he's end up getting a different IP and depending on your captive portal settings, as soon as he/she logs in it would cut off the other fake user.
You pointed out an other issue i had with thei instalation. Sometimes there are groups of 15 to 20 personns staying at the hotel, the employee at the reception desk always gives the same username and password to each person in the group. Of course when i first configured the m0n0 box i had checked the option to "Disable Concurrent Login", the hotel owner called me the day after "Customers are complaining, they get back to the portal on every page load"
So now this option is turned of....
As a first shot i will increase the DHCP range and reduce lease time....
BTW handling with public wireless is not that easy
Edit :I finally ended up in keeping the 24hours DHCP lease and increased the available IP range up to 65534 (subnet mask 255.255.0.0) (I'm using class A IP), if an attacker wants to fill all the DHCP range it should take about 91 hours !