Windows 2008 r2 Network Policy Server VPN

I have a Cisco Radius Client setup in the Network Policy Server snap-in for VPN access. Recently I'm getting anonymous user from a couple of different IP's trying to connect (or hack in) through the VPN connection. I'm seeing this through the Network Policy and Access Service event log. Event ID 20271. Below is a copy/paste of one of the events.

Log Name:      System
Source:        RemoteAccess
Date:          11/17/2015 8:47:19 AM
Event ID:      20271
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
CoId={NA}: The user anyuser connected from but failed an authentication attempt due to the following reason: The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server.
Event Xml:
<Event xmlns="">
    <Provider Name="RemoteAccess" />
    <EventID Qualifiers="0">20271</EventID>
    <TimeCreated SystemTime="2015-11-17T16:47:19.000000000Z" />
    <Security />
    <Data>The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server.</Data>

1.) What is the best way to safe guard against this? - I'm currently blocking the offending IP address's on my firewall but this is reactionary defense and I would rather be proactive then reactive.

2.) Is there a better way to set up a VPN connection other than Cisco Radius Client? Or do I need to tweak the settings I already have?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Your issue can have several reasons....
a.) You have a dynamic external IP and due to the change of the IP, you hit one where somebody tried to establish a vpn connection. If you see all the time the same user name and source IP, it may stop or change when you get a new external IP.
b.) Something similar you can see even with fixed IPs, if a user just mistyped a name or IP for vpn connection. Such tries will stop after the source recognizes, that their vpn doesn't work.

In both cases have a look a the user name in the logs. The name can give you a clue what it may be. A lot of admins call their users like the service what is behind it (cashstation, telephoneuser or similar). Such misconfigured vpn clients use all the time the same user and they try to logon very regularly (fixed intervals). Also the source IP is mostly the same if it doesn't change regularly (usually once a day).

If you see more common names or well known, built in or often used names like admin, administrator, then it could be...

c.) a student in a commuter course which tries to hack just around for fun.
This will stop after 5 or 10 attempt, the most stupid way to try to hack, nevertheless sometimes successfull for luck.

For all cases, there is not really something to do with the exception to keep your system save.

Note: If somebody really tries to hack your system via vpn, the attacks are more massive as they want to find a password. But there are more effective ways to hack a system than just try some passwords with well known names....
And of course..., you dont'n offer vpn to standard build in users and your passwords are compex enough.

To your questions:
You may create a group and put all users inside, which should be able to logon. Use this group as a limitation for your connection rule. Never allow it in general and especially not to well known / built in users.
As more complex your usernames and as more complex the passwords, as less it the chance to crack them (this is the most important protection).
Radius is used for a non domain member which has to validate users for authentication. This is not unusual for routers. The client tries to connect, send its credentials and the Radius client tries to resolve user and password.

You have to see what kind of protection mechanism your router offers. A real VPN router will offer a lot of additional protection. Such router also support certificate base authentication for either the client, the user or even both. This is an additional protection level because you have a second authentication level, but needs also a PKI which provides the certs.
In such a scenario, the router enforces a certificate. The client sends it (i.e a computer certificate) and the router first check the cert, if it is valid and also if it fits to a corresponding root cert. Then the user authentication will happen.

If your router is just a simple box without additionally capabilities, you can set the router o VPN pass through and you use a windows server as the VPN endpoint or any other VPN capable device or software solution.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jmac44Author Commented:
Thank you.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.