CaptivePortal gateways such as NoCatAuth are great ways for community networks to provision free wireless AccessPoints. However as a commercial authenticaion system they have some weaknesses. I won't elaborate too much here but since DNS is typically required in order to seemlessly capture the clients request you can do IP over DNS tunnels. -- AdamShand
Further if the gateway allows ICMP there are more problems:
There are of course fixes for all of these problems, the most obvious is don't allow ICMP traffic to pass until the cusomter is authenticated. For DNS it's a little harder but I'm sure someone can think of something 
Two common ideas like only authorise DNS to the knowned DNS servers served by the DHCP or installing a local caching only nameserver both won't work, because these DNS-servers will happily forward the DNS-requests to the target nameserver