John,
ACS (3.1) supports Password expiry configuration.
Cisco Secure ACS supports MS CHAP-based password aging feature which works with the Cisco VPN client (version 3.0 or greater). This feature prompts a user to change his or her password after a login where the user password has expired.
You will need to configure ms-chapv2 password expiration in ACS, and choose "RADIUS with Expiry" on the VPN concentrator.
Oscar