Open your existing remote access policy. Select "Edit Profile". Select the "Authentication" tab. Check MSCHAP V2 and check "user can change password after it expires".
Also, on the radius client properties for the ASA, the Client-Vendor needs to be Microsoft.
After you've set it all up you can test it by setting a user to must change password at next logon. If you've done it all right, the vpn client will now ask for username, password and domain. You can either enter the domain or leave it blank. The user should then be prompted to enter a new PIN/password.
If it doesn't work, check your event viewer on the ias server under system. Check the IAS events for errors
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...