Hi Scott,
Deauthenticate:
From the client side, user can https to https://virtual-interface-ip/logout.html, and click logout.
From the admin side, you see the clients in the monitor page, and you can remove them, which deauthenticates them.
Timeout: navigate on your controller to WLAN, your Web auth WLAN, go to the advanced tab. There is Enable Session Timeout, which you can set. It is on by default and set to 1800 seconds.
Hope it helps
Jerome