Happy birthday then
As a final note, I do realise it's not always the easiest thing to take down / reconfigure a radius server - especially with piles of active sessions. Again, presuming you are using MySQL, setup a different Radius server, using the same configs and the same databases.
Then just log the auth-reply details on the new server, for the accounts not doing the timeouts. You can more than likely test this by just running the queries FreeRadius executes against the database with the correct user details. It's either your user-reply (will only affect single user accounts - which is what you are experiencing I guess), or group-reply (which will affect groups of users obviously) that is not sending the correct attributes to FR. Attributes is obviously very sensitive to values, operators, as well as case sensitive, but you knew that, right?
Also worth noting, I'm not 100% now on which way arround right now without digging in some docs, but a reply to a attribute in one table, will overwrite a reply in another table (you need to use priorities if you specify one attribute multiple times). ie. If user-reply give a Session-Timeout := 10, and group-reply gives a Session-Timeout := 86400, the results may not be what you want. MT may also handle duplicate attributes in different ways, or even disregard it completely - I don't know what MT does internally to attributes.
Lastly, there's also raddump (if I'm not mistaken), which is a packet sniffer for the radius protocol. Never needed to use it before myself, but it should give you full details on anything received and transmitted by FR.
I am however pretty sure, the couple of users not disconnecting is merely a issue with a missing and/or incorrect attribute.
--
Chris