I am currently migrating VPN services from a Cisco 3015 concentrator to our new ASA 5540's using ACS 3.3 (appliance) for authentication. I have created a group on the ACS and added some test users and all works well. The next thing I wanted to do was to assign users and force them to change their passwords upon the first successful login. When I check "apply password change rule" under the "password aging rules" of the ACS group properties, I fail to get a prompt asking me to change the password and the ACS sets the user account to expired after the first login. Thank you for your help.
I have this problem too.