The information of "change password in next logon" is not just a flag or attribuite... it is a mix of both " Pwd-Last-Set attribute (...) If this value is set to 0 and the User-Account-Control attribute does not contain the UF_DONT_EXPIRE_PASSWD flag, then the user must set the password at the next logon. " in this microsoft article. In Radius (here my knowlegde is very limited) you have other code/message to inform the client (in this case, the SA) the user must change the password: 4. New Messages (...) 32 Password Expired in RFC2882 So in order to all this works, should be something like Radius Client send user credentials to Radius Server Radius Server check via ldap the credentials of the user and if Pwd-Last-Set attribute is 0 and User-Account-Control has UF_DONT_EXPIRE_PASSWD flag if true, Radius Server send to radius Cliente the attribute/message 32 to the password be changed. In comercial products, they implement this... check in freeradius if they do this out-of-box or if you need to code this.
... View more