CIS has developed a modification to CAS to support the passwordExpired flag in LDAP. This flow diagram outlines the process.
A key item to note in the flow diagram is the timing for checking various flags. The status is checked only after successfully binding to the directory. Once that operation is complete, the tamuStatus attribute is read and processed. Since the customer successfully logged in to CAS at this point, they should be able to easily log in to Neo to change their password. Setting a new password will clear the passwordExpired flag and the customer should be able to successfully complete a CAS login.
As shown in the flow diagram, if the passwordExpired flag is present in the customer's directory entry, the login will fail. An error condition will be raised in the authentication module and subsequently reflected on the CAS login page. This screen capture shows how the CAS login page will notify the customer of an expired password. They can simply click on the supplied link to navigate to the appropriate page to change their password.
The general answer is no, CAS will handle checking the flag and will direct customers to the password reset page. In this case, CAS will not return to your application and the behavior is very much like a failed login attempt. If, however, your application captures the CAS login page, you may have to program for the new message that is issued when the login fails.
For more information on CAS and how to use it for your applications, please see the FAQ.