VPN - Local accounts for external parties

Hi all, 

Recently moved to production on the 1500D and things are going smoothly and well. One thing I noticed when I implemented the VPN portion was that a local account doesn't seem to have a check to ''Users must change their password on first logon'' option like I had with my previous solution. As far as corporate accounts, everything is under LDAP authentication and that works well, but for external parties, I don't need them to have an AD account, simply access to the VPN. I prefer having the consultants in question use their own password, but unless I missed the option somewhere, I cannot accomplish that. 

If anyone else has a similar use case, how do you handle this? Simply give a strong password and they are stuck with it or do you have another more practical solution?

Thanks,

Ben