Time limited VPN

you have a few options some better or more or less complex

try setting a time-base-policy via the scheduler, be careful of accept/deny in your policy and based on policies that you create.

A 2nd option that we use for contractors, is to use MS-AD and certificate and set  the cert end-date for XX/XX/XXXX that why they won't get access after the certificate expires. You can also in some signer sign the cert for a future-date and then set the cert-time duration. That would be to hard to explain how in a post-forum. Just keep in mind that you  do future signing, you can't sign past the CA-certificates end-date.

And lastly, if it's  contractor/student/consultant and you have MS-AD, you can set the account to expire at XX/XX/XXXX, hence denying his access or you could run a power-shell script that change his/her membership from the vpn_access_group.

You have to see what is easier for your environment,

If you do policy-base, keep in mind unless that "user" get's the same address , it's next to impossible to block by his ipv4 address in a policy.

Ken Felix