It is reported by customer that login for SSL VPN failed, the error shown on web browser says "Invalid user, incorrect password or the user is locked", see below snapshot:
There is no alarm indicating any error.
1. Since error message about "Invalid user, incorrect password or the user is locked" was given, configuration of USG6300 has been checked carefully. It is confirmed that user information is added locally, the authentication scheme is local, the user name and password has been verified to be correct. Same error was given with multiple attempts to login.
2. Because it is configured to perform authentication locally, USG6300 did not interact with AD server, Radius server to exchange authentication data, so there must be something wrong within USG6300. In order to dig it deeply, debugging of AAA was enabled. After that login for SSL VPN was tried again, same error was seen. Anyway, there was debugging message about login failure, see below for some output of debugging:
<USG6300>debugging aaa all
Oct 20 2017 10:23:35.945.1-05:00 DST USG6300 AAA/7/DEBUG:
AAA receive AAA_SRV_MSG_AUTHEN_REQ message from CM module.
Oct 20 2017 10:23:35.945.2-05:00 DST USG6300 AAA/7/DEBUG:
DestIndex:226 SrcIndex:226 Slot:0
User:user2@tech Password:*** MAC:ffff-ffff-ffff
Slot:0 SubSlot:0 Port:0 VLAN:0
IP:255.255.255.255 AccessType:sslvpn AuthenType:PAP
AdminLevel:0 EapSize:0 AuthenCode:SSLVPN
ulInterface:4294967295 ChallengeLen:16 ChapID:0
LineType:0 LineIndex:0 PortType:5
Oct 20 2017 10:23:35.975.3-05:00 DST USG6300 AAA/7/DEBUG:
AAA_MAIN initiate LAMAuthenAck event to AAA_AUTHEN module.
CID:350 Result:0 Info:1206705684
Oct 20 2017 10:23:35.975.10-05:00 DST USG6300 AAA/7/DEBUG:
AAA_AUTHEN initiate NormalAuthorRequest event to AAA_AUTHOR module.
CID:350 Result:0 Info:0
Oct 20 2017 10:23:35.975.11-05:00 DST USG6300 AAA/7/DEBUG:
AAA_AUTHOR initiate AuthorAck event to AAA_AUTHEN module.
CID:350 Result:1 Info:0
Oct 20 2017 10:23:35.975.12-05:00 DST USG6300 AAA/7/DEBUG:
[AAA ERROR]authen finish,the authen fail reason is:15
3. Based on output, the result of AuthenAck is 0 while AuthorAck is 1, and the reason of failure is 15. It seems SSL VNP login failure is related with authorization, however there is no document indicating what code 15 really means.
After checking with R&D, it is confirmed that login failure is caused by authorization failure. Because only the user is set to be authenticated locally, authorization is not set explicitly, so USG6300 needs to check defaul authorization, which is to check raduis server, thus authorization failed.
Configuration of authorization is added, the user will be checked for authorization locally. After that, SSL VPN login was successful.
In summary, user authentication actully involves authentication and authorization, missing either part will cause failure of network access.
According to document, a user name and a password of an SSL VPN user are saved on a local FW, and the SSL VPN user is authenticated also on the local FW, see below diagram as illustration:
In reality, in order to have a successful SSL VPN login, both authentication and authorization should be passed. Missing either configuration will cause login failure.