I am trying to configure password aging for my VPN clients. What I have is a Cisco VPN Concentrator 3000 series that uses an Cisco ACS server 3.3 for user authentication using the local database. The users are using the Cisco VPN Client, 4.x. We are upgrading the ACS server to 4.2 shortly if that helps.
What I want to be able to do is set the Password Aging rules on the groups in Cisco ACS and have this information pass to the user via the VPN client. So for example:
---The user is assigned to group "Accounting" in Cisco ACS. This group has the Password Aging rule- Apply age-by-uses rules. Issue warning after "2" logins and Require change after "4" logins.
---The user logs in using the Cisco VPN client and while logging in for the 3rd time receives the message that their account will expire after the next login.
---This user then has the ability to change their password using the Cisco VPN client.
This seems like it should be fairly straightforward to setup but I have not come across much documentation that spells out the steps to make this work.