It is not as simple as it seems. Once the impostor has sniffed the authenticator, before using it he or she must wait for the legitimate client to abandon the network. The IP and MAC addresses would then be changed and made correspond with those of the client who abandoned the network and lastly send the authenticator to the gateway, while waiting for the latter to enable the connection. In fact, the impostor would wait in vain for two reasons: the authenticator has a limited duration over time and most certainly, on use by an impostor, will have already expired; the captive gateway can remember previously used authenticators to enable a connection and won't allow access to a replica.