I have a question that I hope you will answer for me. I'm running an ASA (8.0.2) and using the local Active Directory to authenticate the users while connecting with the VPN-Client and the Web SSL. So far so good, but is there any chances for the users to change the Active Directory password either from the VPN-Client or the Web SSL?
This is the command you are looking for.
Once enabled on the firewall all you have to do is make sure you are allowing mschap v2 in your remote access policy on IAS server.
When the user connects to the vpn and their password has expired, it will prompt them to change their password.
hostname(config)# tunnel-group group-name general-attributes
There is also a checkbox in the remote access policy in IAS to "allow user to change password after it expires"...check it.
See this post also...