I'm having trouble getting password changes to work with Cisco ACS 3.2, VPN 3015 and the Cisco VPN Client. I have some users configured in ACS to authenticate against or Windows Database. This works fine until their passwords expire (every 30 days). They are never presented with a change password request and the logs show 'Windows Change Password failure'.
I believe ACS is setup as specified by the documentation (with MSCHAP enabled etc).
Are there any requirements on the user account or windows side to enable this?
maybe User-Changeable Passwords could help you solve yours issue
check following link
Hope that helps rate if it doeas
we are having a similar issue with ACS / AD and an ASA 5540 with SSL-VPN. How can we set a password to expire every 30 days and prompt the user to change it 10 days prior to that. In my view the UCP solution is only useful if a password is not set to expire and the use wants to change it.
After some more testing it turns out that UCP (User Changeable Password) only supports the built-in ACS database and no external like LDAP or AD. Hope this will change in future versions.
We ran into a similar issue. The fix we implemented was to have the VPN client run on start-up on the laptop. The scenario is that the laptop boots up...comes to a Windows login with the VPN client in the bottom left. User authenticates to VPN FIRST, then enters in their AD credentials to the Windows login box. If the password is expiring soon, the already authenticated user is prompted to change their password. Likely not the best fix as the user must login twice but it's how we got around the issue.
For password change to work via 3015 and Acs we need the following :-
1. Radius with expiry selected in 3015 Groups
2. In ACS->External Db->Windows Config, we need to select "Allow password change using mschap and mschapv2".