At my university, it was against the rules to plug WiFi routers or AP's into the university's network. The reason for that was that it's a huge security risk to allow anyone to run an AP on the network - if it's not configured correctly, it could allow unauthorized, open access to the network to malicious third parties.
You say it's a security risk "if your AP isn't configured correctly." It would be much more accurate to say "if the university network isn't configured correctly."
If you expose unrestricted access to sensitive stuff to everyone on the dorm ethernet, sinister wifi hackers on the sidewalk outside is the least of your worries. Your university IT was trying to cover their incompetence with random authoritarianism.
University networks generally implement 802.1x, WPA2/EAP, MAC registration, and similar authentication schemes so that every device is tied to an authorized user and malicious activity can be traced to a real person.
When a network device is attached that doesn't pass this authentication requirement onto its users (i.e. by NATing, or offering a public or common-key WiFi network) the university loses its ability to see who is doing what, and to deny access to people it doesn't want on its network. IT departments don't like that.
The security risk is not so much that you can now route certain internal IPs, but that IT has no way of determining who you are, or even your real MAC address, if it has questions about or objections to your traffic (whether
Hopefully no one is placing sensitive services on the same network as dorm rooms with no security, but being on the LAN is often used as a front line. For one thing, sitting on the right part of the campus network gets you access to most scientific journals based on IP whitelisting. The University is contractually not allowed to provide this access to people who aren't students/faculty/staff, so it has to control who can come from those IPs. We operate separate SSIDs for guests that route to the internet through IPs not in the whitelist. We also have certain intranet-only services like Facilities work orders, printing, etc. that could be on the public internet, but don't need to be, so better to those aging, likely vulnerable applications behind a layer than not.
