We can prompt users for change of password ahead of time but it requires to use LDAP not Radius
tunnel-group radiustest1 general-attributes
password-management password-expire-in-days 14
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/vpngrp.html#wp1166214
So if LDAP is enabled on your AD Server, you can have ASA talk to the AD server directly.