I currently have a PIX (IOS 6.3), and an ACS (v4.1) server. VPN clients connect to the PIX and are authenticated by the ACS through the external Windows database for Active Directory. The problem is when a user in AD has the option checked for "User must change password at next login", the VPN client fails immediately with Reason 413: User authentication failed.
One thing I found from here:
... but not sure if it applies because I am using an ACS. Would this be the correct usage line for the PIX
aaa authentication login USERAUTH passwd-expiry group radius
Is that needed even if using an ACS? Is there anything else I'm missing? Please let me know what other information you need to help me out.