Captive Portal for devices behind NAT: Is it possible?

Question

A related question:

Do all captive portal solutions work the same way? (cookie, vs MAC address, vs other?)

I have been reading about Captive Portal at Wikipedia.

This part generates a question:

A captive portal that uses MAC addresses to track connected devices can sometimes be circumvented by connecting via hard-wire a router that allows setting of the router MAC address. Many router firmwares call this MAC cloning.

As long as Wikipedia talks about captive portal that uses **MAC addresses**, is there any other method for tracking/managing them?

Reason for asking this: I am planning to set up a captive portal for the WiFi service offered to the clients in a hotel. As for today, the repeaters (Routerboard) are configured to work in router mode, as long as I prefer it over access point mode. So, the MAC Address of any connected client will not be seen by the Gateway managing the captive portal.

Can I implement some sort of captive portal for access control in this case?

Note:

• Please, this question is not "Is it better router mode over access point mode for WiFi repeaters?". I actually want to keep my repeaters in router mode. I don't want to change them. Save answers like "it is preferred to use access point mode because..." for another thread, not this one.

Answer 1

You might be able to get a small portion of your clients to accept a captive portal. However, these may break security of connections, so clients that need secure connections are likely to refused your service and switch to a different hotel. It is unlikely you will be able to easily lure those clients back.

Very few protocols allow injection of something into the data stream, that would allow tracking a device by anything but MAC address or the associated IP address.

• HTTP allows setting cookies, but those are specific to domains.
• IPv6 introduced temporary addresses which breaks IP address tracking.

In the end you are stuck with tracking MAC addresses.