That is a function of the RADIUS server, not the RADIUS client (the router). The most reasonable approach is to have an expiration date on the account on the RADIUS server. The RADIUS server only allows logins when the expiration date is in the future, and serves the client the timeout attribute on login, which is set to the number of seconds until the expiration date. That way the client knows to log the user out at the expiration date, and if the user tries to log in again, the attempt fails because the account is expired.
However, all that takes place on the RADIUS server, so you should ask your server vendor for support on how to implement that.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.