For firewalls most people just use the accounting data to start and stop sessions as appropriate. This is usually triggering a script from within the accounting {}
section of the freeradius server, creating the session on Acct-Status-Type == Start
and destroying it on Acct-Status-Type == Stop
.
If the PAM module sends Interim-Updates, you can record those in a database, and also set a 'lastupdated' timestamp. You then have a cronjob to check for rows where NOW() - lastupdated > (interim-interval * 2)
, and for those rows, delete the session on the firewall and close out the session in the database.
There is no proper SSO mechanism I know of which runs purely over RADIUS, the Project Moonshot guys were trying to get something working with SAML and a special EAP method, but it's probably too complex for what you want here, and not supported by PAM anyway.