Because users are identified by their MAC hardware address it is possible that someone using a packet sniffer can spoof/ impersonate the authenticated MAC hardware address and thereby gain network access. Setting a hard timeout can help to minimize this risk.
Don't forget to enable the DHCP server on your captive portal interface! Make sure that the default/maximum DHCP lease time is higher than the timeout entered on this page. Also, the DNS forwarder needs to be enabled for DNS lookups by unauthenticated clients to work.
Plan carefully when you will make changes to the Captive Portal configuration. Changing any settings on the main Captive Portal configuration window will disconnect all clients!
Because of the way Captive Portal is implemented, it cannot be used on more than one interface.