The problem I've seen when I've looked at this is signalling to the user that the session has ended. Sure your EBF filter stops passing traffic, but the user as to know that they need to visit a page to reauthenticate
That requires integration with a client, which is a massive pain to integrate
It sounds like upon expiry, you could redirect all 80/443 traffic to the same node, serving an error page. In my mind, that's better than having to install a client.
That requires integration with a client, which is a massive pain to integrate