Configuring the Password Change Features on a Remote Access VPN Tunnel Terminated on a CISCO ASA

One of the most difficult scenarios to manage is remote users with expired passwords in a Windows Active Directory Environment. The Cisco ASA provides a password management feature which notifies user of password approaching expiration and allows them to change their password as well as notifying a user when their password has expired and allowing them to change the password.

This feature is compatible with:
Cisco AnyConnect Secure Mobility, Version 3.1
and
Cisco VPN Client, Release 5

Configuring and Enabling this feature is relatively straight forward:

First, configure the LDAP server:

aaa-server LDAP protocol ldap
aaa-server LDAP (outside) host 10.48.66.128
 ldap-base-dn CN=USers,DC=test-cisco,DC=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=Administrator,CN=users,DC=test-cisco,DC=com
 server-type microsoft

Then use that configuration for the tunnel-group and the password-management feature:

tunnel-group RA general-attributes
 address-pool POOL
 authentication-server-group LDAP
 default-group-policy MY
 password-management


For more detailed information, refer to this Cisco Document: 
ASA Remote Access VPN IKE/SSL - Password Expiry and Change for RADIUS, TACACS, and LDAP Configuration Example