There is a scheduled access configuration under WLAN where you can define the working hours of that WLAN. During the enabled hours the WLAN will be enabled and clients can connect. If you ar trying to selectively do this for specific clients then better would be to send a session time from RADIUS server which ends by the time working hours finishes. "Sync Accounting" configuration is used for supporting same accounting session for roaming clients and is specially usefull for guest access clients and if you are fine with having new accounting session for a roamed client then you can disable this configuration.
your first issue which you had mentioned was that client continue to have access beyond working hours and for that session-timeout is a good solution. But later to that your RADIUS server has to reject authentication for the clients which are trying to get access beyond working hours. There is no way on the AP where you can kind of simily drop these clients which are trying to access beyond their supported working hours. Does all these specific clients share the same working hours or each can have a different working hours? Just wanted to understand the use case here. Can you use two different WLAN's one for these specific clients which is enabled with scheduled access.