What you’re looking for is already built in to the common ISAKMP/IPSEC VPN. Isakmp does the group level authentication (contained within PCF files generally) and then the user level authentication (username/password). The Cisco ASAs support a third level for RSA tokens, etc, if you so desire as well.
Unfortunately, I’m not sure about concentrators. They are EOL and so it’s hard to find much on them anymore.