There are a lot of ways to authenticate a VPN user even without ACS. You can configure your PIX firewall as VPN gateway which can authenticate a VPN user locally or you can implement XAUTH using RADIUS. The radius server can be any freely available compliant unix server or you you can use your windows domain controller for XAUTh using "Active Directory" as radius server. Again you can use one factor authentication or two factor authentication. The basic two factor authentication you can do with a PIX is that you can use the static IP address of the VPN client in PIX VPN config as the second factor (i.e. what you have) along with radius password (i.e. what you know). The limitation with this approach is that the VPN connectivity can be granted only from a previously configured IP address.

Otherwise you can implement a challenge response method as two factor authentication where you can use the tokens (software or hardware) as "what you have" to generate one time passwords, again these tokens can be configured as "response only mode" or "cahllenge resonse mode".

I have tested and implemented above mentioned methods successfully. Again if you already have a radius server working from your old installation and you don't want the headache of scrapping all that user database info and configuring it again on the new radius servers there are middleware radius" solutions available which can save your previous investment and are a lot cheaper (if you don't have thousands of VPN users).