Hi Telematic,
A captive portal is a open network without any encryption at the 802.11 wireless layer (2). Captive portal before authentication is just a DNS Re-direction, after authentication there is no 802.11 encryption evolved. The applications itself is fully responsible for security by using end-to-end encryption at layer (7).
Saying that, you will find out that the use of captive portal are not secure enough for production environments, just for guest access which only have to reach the internet, and must be separate from any production networks by the firewall offcourse.
Yes mac-spoofing of a captive-portal is possible, as we known all client mac-addresses are always visible in the 802.11 management frames. There are less network drivers available that can change the mac-address and are allmost only linux boxes, windows can't change the mac-address. If a mac-addres is duplicated online this will cause connectivity issues, but yes it's possible with a box like Kali Linux, in practice it will be rare, maybe with the exception of the education or hotel sector.
Mac-caching is a great feature that helps to increase the user experience of guest users to not shown up the portal each time they re-authenticated. But really secure its never!
(Please note that Apple IOS14 start using mac randomization, what have a big impact on the way how we using mac-caching for wireless devices).
If you have concern about security, don't use captive portals at all but use radius authentication. Radius authentication (WPA-Enterprise) have AES encryption at the 802.11 WiFi layer 2, so all data in air is encrypted, even when the application is not (till leaving the wireless network) ;;)).
The most robust solutions could be the ClearPass Onboard feature (licenced). Where you use a captive portal to onboard wireless clients to provide the client with a certificatie (deployed over HTTPS security). After that the user needs to reconnect to the SSID with certificate bases security (EAP-TLS). The onboarding solution is most used for BYOD devices.
For corporate devices deploy EAP-TLS through your active directory or MDM solution.
For guests captive-portals are fine (with or without mac-caching) because they are allowed to use "internet-only". You can also combine captive-portal with a WPA2 key on top, but that is a less used solution.
Hope this helps you!