The TACACS+ protocol defines a CHPASS (change password) query. This is not supported in the Cisco PD daemon, but is supported in CiscoSecure ACS.