TACACS+ protocol introduced with the IOS AAA architecture had great provisions for customizing the whole login process (user-defined banners, prompts …). Unfortunately, it never really took off and most AAA solutions deployed today rely on RADIUS servers that cannot control the login process itself (the RADIUS server can only check the username/password pair for validity).
To change the login prompts when using RADIUS servers, use the aaa authentication [banner|fail-message|password-prompt|username-prompt] text configuration command.For example, to introduce meaningful prompts when using one-time password solution, you could use something similar to this configuration:aaa authentication banner #
Access to this router is protected with one-time passwords.
Send an e-mail to firstname.lastname@example.org if you need access.
aaa authentication fail-message #
Login failed. Wait at least 30 seconds and retry
aaa authentication password-prompt "Enter your PIN + one-time password:"
aaa authentication username-prompt "Enter your username:"
Note: the texts specified with the password-prompt and username-prompt options are one-line texts delimited with quotes, the parameters of the banner and fail-message options are multi-lined texts delimited with any character.