I trying to do the same thing. there is no PW changeing definition in the radius protocol. so no one it doing it. we currently using a radius s/w that can email the user when the PW about to expire and has a web interface to changes their PW. that the best i can find (alepo).
but we now looking a moving the user info to windows AD so that the PW change thing works.
ACS can expire PW's, has a web interface to change them. but no way of telling a VPN user to change it.