My employer has implement a AD group policy to force password changes every 3 months. This causes a problem as when a road warrior connects via VPN and then tries to access his email or a network share it does not allow him to as he had already logged into his laptop with his old password and AD only prompts you to change your password on login.
Can anyone tell me how they handle this situation.
Thanks in advance.
Open your existing remote access policy. Select "Edit Profile". Select the "Authentication" tab. Check MSCHAP V2 and check "user can change password after it expires".
Also, on the radius client properties for the ASA, the Client-Vendor needs to be Microsoft.
After you've set it all up you can test it by setting a user to must change password at next logon. If you've done it all right, the vpn client will now ask for username, password and domain. You can either enter the domain or leave it blank. The user should then be prompted to enter a new PIN/password.
If it doesn't work, check your event viewer on the ias server under system. Check the IAS events for errors.