Changing Windows Passwords - VPN with a PIX, Cisco VPN Client and RADIUS Authentication

I have remote access configured between a PIX running IOS 7.2(1) and
Cisco VPN clients running 4.8. I'm currently authenticating using
RADIUS from IAS running on a Windows 2003 Server. This server is
configured as a stand-alone workgroup server and all users are
maintained on it.

How do I enable changes to the Windows password when a user's password
has expired or they first get their account and are required to change
the password at first login? All my users are remote and never local
so the VPN is their only access. I know this is possible using the
Concentrator but the PIX and ASA's should have evolved to the point to
accomodate this.

Also, my current RADIUS exchange takes place using PAP, which is
unencrypted. How can I change this to MS-CHAP v2? Thanks!

 

I now have the MS-CHAPv2 working between the PIX and IAS. I ensured
MS-CHAPv2 was allowed on the IAS side and then added the
"password-management" on the tunnel group ipsec-attributes being used
for the remote connection. I'm still unable to change Windows password
though the 7.2(1) documentation says it will. Is the RADIUS command to
do this supported in Cisco ACS and not IAS RADIUS?

 

Enable MS-CHAPv2

How did you enable MS-CHAPv2 on the PIX [running 8.0(4)] to authenticate with MS RADIUS server (IAS)?

Thanks