Hello,
On 1.
- Yes an expired password should stop them from using the VPN. I say Should because it depends strongly on your exact VPN-Settings. If you bind your Authentication straight to the AD I would say Yes.
On 2.
- This is a broad question and more a matter of your security politics and whats behind your portal . Is Self-Service a consideration ?
On 3.
- If no you might use the auth-module in your VPN Environment. If yes have a look to our documentation about password management
What ever you do, have fun 