When using Broadcom MFA (ADVANCED AUTHENTICATION MAINFRAME 2.0) configured with RADIUS authentication through ACF2, is the user able to reset their password during ACF2 login or is there a way to display the error indicating the password is expired/locked?

If not using Compound In-Band, users must change their RADIUS (non Mainframe/ACF2) password outside of the TSO logon process and would not be notified during the TSO logon process if it has expired. 

If using Compound In-Band, the ACF2 password can be changed during the TSO logon process. The user will be notified if that password has expired and can change it in response to that notification. The same functionality does not exist for the RADIUS password.

In regards to RADIUS password error messages, at this time there is a generic MFA20107 RADIUS challenge message that would appear in the javalog. This will be embedded within the text of an ESM message that will in turn be accompanied by TSO credential failure message(s). Expired password is one of the scenarios that lead to this message. The message text won't have additional information.  The RADIUS password will have to reset outside of the TSO logon process. The java logs (which the end user typically won't have access to) will show the message text from the RADIUS server about the challenge and could be used for troubleshooting.  

Documentation and examples for Compound In-Band sign on can be found in the AAM documentation section Sign On When Using RADIUS with Compound In-Band