Hi ,
Based on my understanding, you want to allow VPN client (domain user) to change their password themselves when password expired. Is that right? Please feel free to let me know if my understanding is wrong.
Did you want to achieve the following goal?When password has expired, VPN clients can change their password by themselves.(I used windows build-in VPN client to do the test, we have no third-party VPN client in our lab to do the test.)
If yes, just check Allow client to change password after it has expired in EAP MSCHAPV2 Properties from NPS network policy. Then we can change password by ourselves when password expired.
If we did not check this option, then after password expired we cannot connect to VPN. As the picture below:
Hope this can help you.
--Please Accept as answer if the reply is helpful--
Best Regards,
Candy