Thank you Tim for your really precious advices...
ClearPass was my first thought but we don't have the budget for it:-(
A possible solution could rely on Session Timeout (calclulated as expiration-datetime minus now-datetime as you suggested) passed back with a VSA from RADIUS to Controller AND a local check on the RADIUS that rejects access-requests sent after expiration-time. In other words the RADIUS should be configured to:
a) reject access-requests "outside" the guest account validity interval (before the beginning and after the end)
b) accept access-requests "inside" the guest account validity interval (after the beginning and before the end). In this case the RADIUS calculates the Sessioni-Timeout and instructs the controller to "clear" the sessione accordingly (exaclty at expiration time).
Once the guest user tries to connect againg it's rejected because of a).
Does it make sense to you?