user authenticate with Certificates, we can config your Concentrator in order to ask for username / password, this is called phase 1.5, actually certificates is known as phase 1, once user is authenticated will start phase 2 (ipsec). You can config your Concentrator for local or external authentication.
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080181220.shtml
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a0080094a03.shtml