Does hidden/login.asp use an HTTP POST? Does it actually exist? (The page isn't exactly hidden if you tell everyone where it is....seems strange to name a directory that way). Are the fields actually username, password, and login?
If you want user to be user1 wouldn't your form data be post?username=user1? Why bother passing password and login via form data if you aren't assigning any value to them?
Is there a reason you want to use Medusa and not Hyrda? (Not that it can't be done with Medusa but from the people I've talked to and the documentation I've seen Hydra is a much better bet if you need support).