One of our customers has run into a problem using the ASA Password Management functionality for VPN, in combination with authentication to an SMS PassCode server.

Their users logs in via Cisco AnyConnect VPN-Clients to a Cisco ASA 5515. The ASA uses an SMS PassCode server as RADIUS server and the SMS PassCode server is integrated into MS AD.

The issue is seen when Password Management is enabled for the relevant Connection Profile in the ASA:
1) If the user password expires in AD, or is set to “change password at next login”, the VPN-user is prompted to change their password when establishing a VPN Connection – as expected.
2) The password change via Cisco AnyConnect seems to be executed correctly as the user is first informed that the password is expired and needs to be changed, then prompted for the old password and a new one twice. VPN-login then succeeds.
3) After this, however, the user is now no longer able to login to the AD system directly (i.e. without VPN) due to wrong password.
To me it looks as if the password change via SMS PassCode stores a different password in the MS AD than the one the user actually entered.
4) Also, when Password Management is enabled in the ASA, users whose MS AD password is NOT expired, are not able to login via AnyConnect/VPN at all.

The customer currently runs version 9.4.2(11) on their ASA.
We suspect that CSCun25809 may be causing these issues, however a correction for this bug is not mentioned for any 9.4.2 releases for ASA 5515 at all as far as I can see.

Is anyone from Cisco able to check if a correction for this bug is planned to be implemented in the 9.4.2 train?