6. dit the /etc/awstats/awstats.conf and enabled the setting AllowAccessFromWebToAuthenticatedUsersOnly to 1. This is the protection to stop 1 domain on your host checking the other domains on your system in combination with the per site setting AllowAccessFromWebToFollowingAuthenticatedUsers.
This is not required, else what happens is the user gets prompted for 2 logins, once by ispconfigs setting "admin" and then by yours "client name".
As ispconfig has the option to change or set a password for the stats site, the user will be prompted for this anyway.
I had endless problems trying to find out why I am being asked twice.
This now presents a problem if the users edit the web address ?config=example.co.za to another sites address they will have access to those stats.
if you do turn off
you will also need to comment out
# vi /etc/apache2/conf.d/awstats.conf
AuthName "Site Client Access Only"
<limit GET PUT POST>