kesm0724 wrote:
Is there anything special (ntlm_auth, ldap_attr,etc) that I need to configure for FreeRadius to recognize that an active directory account has expired and the user needs to be prompted to change his/her password?
The server doesn't support "change password" requests. The MS-CHAP extensions are undocumented && Microsoft proprietary. Even if FreeRADIUS implemented them, Samba would need to implement them, too.
I am not even receiving the "user needs to change password" dialogue box from the Cisco VPN client.
I'm not even sure it's possible to do that without using undocumented Microsoft extensions. You could try adding a Reply-Message attribute, and maybe the VPN will show them to the user. Or maybe not. It's up to the VPN if it shows messages, and many don't. Alan DeKok.