Netsh commands for RAS

You can administer remote access servers by typing commands at the command prompt for the Netsh RAS context. By using the Netsh RAS command prompt, you can administer servers more quickly over slow network connections, and you can create scripts that automate the administration of many servers.

To run these Netsh commands on a remote Windows 2000 Server, you must first use Remote Desktop Connection to connect to a Windows 2000 Server that is running Terminal Server. There might be functional differences between Netsh context commands on Windows 2000 and Windows XP.

For more information on Netsh, see Using Netsh

To view the command syntax, click a command:

help

Displays command-line help for commands you can use in the Netsh RAS context.

Syntax

help

Parameters

none

Remarks

  • You can also display command-line help by typing any of the following at the command prompt for the Netsh RAS context: ?, /?, or -?.

show activeservers

Displays a list of remote access server advertisements.

Syntax

show activeservers

Parameters

none

show client

Lists remote access clients connected to this server.

Syntax

show client

Parameters

none

dump

Displays the configuration of the remote access server in script form.

Syntax

dump

Parameters

none

show tracing

Shows whether tracing is enabled for the specified component. Used without parameters, show tracing lists all installed components and whether tracing is enabled for each.

Syntax

show tracing [Component]

Parameters

Component   : Specifies the component for which to display information.

set tracing

Enables or disables tracing for the specified component.

Syntax

set tracing Component {enabled | disabled}

Parameters

Component   : Required. Specifies the component for which you want to enable or disable tracing. Use * to specify all components.

{ enabled | disabled } : Required. Specifies whether to enable or disable tracing for the specified component.

Remarks

  • To see a list of all installed components, use the show tracing command without parameters.

Examples

To set tracing for the PPP component, type:

set tracing ppp enabled

show authmode

Shows whether dial-up clients using certain types of devices should be authenticated.

Syntax

show authmode

Parameters

none

set authmode

Specifies whether dial-up clients using certain types of devices should be authenticated.

Syntax

set authmode {standard | nodcc | bypass}

Parameters

{ standard | nodcc | bypass } : Required. Specifies whether dial-up clients using certain types of devices should be authenticated. The parameter standard specifies that clients using any type of device should be authenticated. The parameter nodcc specifies that clients using any type of device except a direct-connect device should be authenticated. The parameter bypass specifies that no clients should be authenticated.

add authtype

Adds an authentication type to the list of types through which the remote access server should attempt to negotiate authentication.

Syntax

add authtype {pap|spap|md5chap|mschap|mschapv2|eap}

Parameters

{ pap | spap | md5chap | mschap | mschapv2 | eap } : Required. Specifies which authentication type to add to the list of types through which the remote access server should attempt to negotiate authentication. The pap parameter specifies that the remote access server should use the Password Authentication Protocol (clear text). The spap parameter specifies that the remote access server should use the Shiva Password Authentication Protocol. The md5chap parameter specifies that the remote access server should use the Challenge Handshake Authentication Protocol (using the Message Digest 5 hashing scheme to encrypt the response). The mschap parameter specifies that the remote access server should use the Microsoft Challenge-Handshake Authentication Protocol. The mschapv2 parameter specifies that the remote access server should use Version 2 of MSCHAP. The eap parameter specifies that the remote access server should use Extensible Authentication Protocol.

Remarks

  • The remote access server will attempt to negotiate authentication by using protocols in order from the most secure to the least secure. After both the client and the server have agreed on an authentication type, PPP negotiation proceeds according to the appropriate RFCs.

delete authtype

Deletes an authentication type from the list of types through which the remote access server should attempt to negotiate authentication.

Syntax

delete authtype {pap|spap|md5chap|mschap|mschapv2|eap}

Parameters

{ pap | spap | md5chap | mschap | mschapv2 | eap } : Required. Specifies which authentication type to delete from the list of types through which the remote access server should attempt to negotiate authentication. The pap parameter specifies that the remote access server should not use the Password Authentication Protocol (clear text). The spap parameter specifies that the remote access server should not use the Shiva Password Authentication Protocol. The md5chap parameter specifies that the remote access server should not use the Challenge Handshake Authentication Protocol (using the Message Digest 5 hashing scheme to encrypt the response). The mschap parameter specifies that the remote access server should not use the Microsoft Challenge-Handshake Authentication Protocol. The mschapv2 parameter specifies that the remote access server should not use Version 2 of MSCHAP. The eap parameter specifies that the remote access server should not use Extensible Authentication Protocol.

show authtype

Lists the authentication type (or types) that the remote access server uses to attempt to negotiate authentication.

Syntax

show authtype

Parameters

none

add link

Adds a link property to the list of link properties PPP should negotiate.

Syntax

add link {swc | lcp}

Parameters

{ swc | lcp } : Required. Specifies which link property to add to the list of link properties PPP should negotiate. The parameter swc specifies that software compression (MPPC) should be added. The parameter lcp specifies that Link Control Protocol extensions from the PPP suite of protocols should be added.

delete link

Deletes a link property from the list of link properties PPP should negotiate.

Syntax

delete link {swc | lcp}

Parameters

{ swc | lcp } : Required. Specifies which link property to delete from the list of link properties PPP should negotiate. The parameter swc specifies that software compression (MPPC) should be deleted. The parameter lcp specifies that Link Control Protocol extensions from the PPP suite of protocols should be deleted.

show link

Displays the link properties PPP should negotiate.

Syntax

show link

Parameters

none

add multilink

Adds a multilink type to the list of multilink types PPP should negotiate.

Syntax

add multilink {multi | bacp}

Parameters

{ multi | bacp } : Required. Specifies which multilink type to add to the list of multilink types PPP should negotiate. The parameter multi specifies that multilink PPP sessions should be added. The parameter bacp specifies that Bandwidth Allocation Control Protocol should be added.

delete multilink

Deletes a multilink type from the list of multilink types PPP should negotiate.

Syntax

delete multilink {multi | bacp}

Parameters

{ multi | bacp } : Required. Specifies which multilink type to delete from the list of multilink types PPP should negotiate. The parameter multi specifies that multilink PPP sessions should be deleted. The parameter bacp specifies that Bandwidth Allocation Control Protocol should be deleted.

show multilink

Shows the multilink types PPP should negotiate.

Syntax

show multilink

Parameters

none

add registeredserver

Registers the specified server as a remote access server in the specified Active Directory domain. Used without parameters, add registeredserver registers the computer from which you type the command in its primary domain.

Syntax

add registeredserver [[domain=]DomainName] [[server=]ServerName]

Parameters

[ domain= ] DomainName   : Specifies, by domain name, the domain in which to register the server. If you do not specify a domain, the server is registered in its primary domain.

[ server= ] ServerName   : Specifies, by DNS name or IP address, the server to register. If you do not specify a server, the computer from which you type the command is registered.

delete registeredserver

Deletes the registration of the specified server as a remote access server from the specified Active Directory domain. Used without parameters, delete registeredserver deletes the registration of the computer from which you type the command from its primary domain.

Syntax

delete registeredserver [[domain=]DomainName] [[server=]ServerName]

Parameters

[ domain= ] DomainName   : Specifies, by domain name, the domain from which to remove the registration. If you do not specify a domain, the registration is removed from the primary domain of the computer from which you type the command.

[ server= ] ServerName   : Specifies, by IP address or DNS name, the server whose registration you want to remove. If you do not specify a server, the registration is removed for the computer from which you type the command.

show registeredserver

Displays status information about the specified server registered as a remote access server in the specified Active Directory domain. Used without parameters, show registeredserver displays information about the computer from which you type the command in its primary domain.

Syntax

show registeredserver [[domain=]DomainName] [[server=]ServerName]

Parameters

[ domain= ] DomainName   : Specifies, by domain name, the domain in which the server about which you want to display information is registered. If you do not specify a domain, information is displayed about the server as it is registered in the primary domain of the computer from which you type the command.

[ server= ] ServerName   : Specifies, by IP address or DNS name, the server about which you want to display information. If you do not specify a server, information about the computer from which you typed the command is displayed.

show user

Displays the properties of a specified remote access user or users. Used without parameters, show user displays the properties of all remote access users.

Syntax

show user [**name=**UserName] [[mode=] {permit | report}]

Parameters

name= UserName   : Specifies, by logon name, the user whose properties you want to display. If you do not specify a user, the properties of all users are displayed.

mode= { permit | report } : Specifies whether to show properties for all users or only those whose dial-up permission is set to permit. The permit parameter specifies that properties should be displayed only for users whose dial-up permission is permit. The report parameter specifies that properties should be displayed for all users.

set user

Sets the properties of the specified remote access user.

Syntax

set user [name=]UserName [dialin] {permit | deny | policy} [cbpolicy] {none | caller | admin [cbnumber=]CallbackNumber}

Parameters

name= UserName   : Required. Specifies, by logon name, the user for which you want to set properties.

[ dialin ] { permit | deny | policy } : Required. Specifies under what circumstances the user should be allowed to connect. The permit parameter specifies that the user should always be allowed to connect. The deny parameter specifies that the user should never be allowed to connect. The policy parameter specifies that remote access policies should determine whether the user is allowed to connect.

[ cbpolicy ] { none | caller | admin [ cbnumber= ] CallbackNumber } : Required. Specifies the callback policy for the user. The callback feature saves the user the cost of the phone call used to connect to a remote access server. The none parameter specifies that the user should not be called back. The caller parameter specifies that the user should be called back at a number specified by the user at connection time. The admin parameter specifies that the user should be called back at the number specified by the CallbackNumber parameter.

Remarks

  • For users in a mixed-mode domain, the policy parameter and the deny parameter are equivalent.

Examples

To allow GuestUser to connect and be called back at 4255551212, type:

set user guestuser permit admin 4255551212

Netsh RAS IP context commands

The following commands are specific to the RAS IP context within the Netsh environment.

To view the command syntax, click a command:

dump 

Creates a script that contains the IP configuration of a remote access server. If you save this script to a file, you can use it to restore IP configuration settings.

Syntax

dump

Parameters

none

show config

Displays the current IP configuration of the remote access server.

Syntax

show config

Parameters

none

set negotiation

Specifies whether the remote access server should allow IP to be configured for any client connections the server accepts.

Syntax

set negotiation {allow | deny}

Parameters

{ allow | deny } : Required. Specifies whether to permit IP over client connections. The allow parameter allows IP over client connections. The deny parameter prevents IP over client connections.

set access

Specifies whether IP network traffic from any client should be forwarded to the network or networks to which the remote access server is connected.

Syntax

set access {all | serveronly}

Parameters

{ all | serveronly } : Required. Specifies whether clients should be able to reach the remote access server and any networks to which it is connected. The all parameter allows clients to reach networks through the server. The serveronly parameter allows clients to reach only the server.

set addrassign

Sets the method by which the remote access server should assign IP addresses to its clients.

Syntax

set addrassign {auto | pool}

Parameters

{ auto | pool } : Required. Specifies whether IP addresses should be assigned by using DHCP or from a pool of addresses held by the remote access server. The auto parameter specifies that addresses should be assigned by using DHCP. If no DHCP server is available, a random, private address is assigned. The pool parameter specifies that addresses should be assigned from a pool.

set addrreq

Specifies whether dial-up clients should be able to request their own IP addresses.

Syntax

set addrreq {allow | deny}

Parameters

{ allow | deny } : Required. Specifies whether clients should be able to request their own IP addresses. The allow parameter allows clients to request addresses. The deny parameter prevents clients from requesting addresses.

set broadcastnameresolution

Enables or disables broadcast name resolution using NetBIOS over TCP/IP.

Syntax

set broadcastnameresolution {enabled | disabled}

Parameters

{ enabled | disabled } : Required. Specifies whether to enable or disable broadcast name resolution using NetBIOS over TCP/IP.

add range

Adds a range of addresses to the pool of static IP addresses that the remote access server can assign to clients.

Syntax

add range [from=]StartingIPAddress [to=]EndingIPAddress

Parameters

[ from =] StartingIPAddress [ to =] EndingIPAddress   : Required. Specifies the range of IP addresses to add. The StartingIPAddress parameter specifies the first IP address in the range. The EndingIPAddress parameter specifies the last IP address in the range.

Examples

To add the range of IP addresses 10.2.2.10 to 10.2.2.20 to the static pool of IP addresses that the remote access server can assign, type:

add range from=10.2.2.10 to=10.2.2.20

delete range

Deletes a range of addresses from the pool of static IP addresses that the remote access server can assign to clients.

Syntax

delete range [from=]StartingIPAddress [to=]EndingIPAddress

Parameters

[ from =] StartingIPAddress [ to =] EndingIPAddress   : Required. Specifies the range of IP addresses to delete. The StartingIPAddress parameter specifies the first IP address in the range. The EndingIPAddress parameter specifies the last IP address in the range.

Examples

To delete the range of IP addresses 10.2.2.10 to 10.2.2.20 from the pool of static IP addresses that the remote access server can assign, type:

delete range from=10.2.2.10 to=10.2.2.20

delete pool

Deletes all addresses from the pool of static IP addresses that the remote access server can assign to clients.

Syntax

delete pool

Parameters

Netsh RAS IPX context commands

The following commands are specific to the RAS IPX context within the Netsh environment. The IPX/SPX protocol is not available on Windows XP 64-Bit Edition.

To view the command syntax, click a command:

dump 

Creates a script that contains the IPX configuration of the remote access server. If you save this script to a file, you can use it to restore IPX configuration settings.

Syntax

dump

Parameters

none

show config

Displays the current IPX configuration of the remote access server.

Syntax

show config

Parameters

none

set negotiation

Specifies whether the remote access server should allow IPX to be configured for any client connections it accepts.

Syntax

set negotiation {allow | deny}

Parameters

{ allow | deny } : Required. Specifies whether to allow IPX configuration. The allow parameter allows IPX configuration. The deny parameter prevents IPX configuration.

set access

Specifies whether IPX network traffic from any client should be forwarded to the network or networks to which the remote access server is connected.

Syntax

set access {all | serveronly}

Parameters

{ all | serveronly } : Required. Specifies whether IPX traffic should be forwarded. The all parameter allows IPX traffic to be forwarded. The serveronly parameter prevents traffic from being forwarded.

set netassign

Specifies the method by which the remote access server assigns IPX addresses to its clients.

Syntax

set netassign [method] {auto | pool | autosame | poolsame}

Parameters

[ method ] { auto | pool | autosame | poolsame } : Required. Specifies the method by which the remote access server assigns IPX addresses to clients. The auto parameter specifies that the remote access server should assign a different random IPX network number to each client. The pool parameter specifies that the remote access server should assign a different IPX address from a pool of addresses to each client. The autosame parameter specifies that the remote access server should generate a random IPX network number and assign it to all clients. The poolsame parameter specifies that the remote access server should assign an address from a pool to all clients.

Remarks

  • For most configurations, either the autosame parameter or the poolsame parameter is recommended because they conserve network numbers and reduce network traffic.

  • Before the remote access server assigns a network number to a client, the server must verify whether the number is already in use on the intranet to which the remote access server is connected. As a result, some addresses in the pool might not be assigned.

set pool

Specifies the pool of IPX addresses from which the remote access server can assign addresses to clients.

Syntax

set pool [firstnet=]IPXAddress [size=]{PoolSize | 0}

Parameters

[ firstnet =] IPXAddress   : Required. Specifies, in hexadecimal notation, the first IPX address in the pool.

[ size =]{ PoolSize | 0 } : Required. Specifies the size of the pool or that the pool should grow as needed. The PoolSize parameter specifies, in decimal notation, the number of IPX addresses in the pool. The 0 parameter specifies that the pool should grow as needed.

Examples

To specify that the pool of IPX addresses should start at AAAAAAA and grow as needed, type:

set pool AAAAAAA 0

set nodereq

Specifies whether dial-up clients should be permitted to request their own IPX node numbers.

Syntax

set nodereq {allow | deny}

Parameters

{ allow | deny } : Required. Specifies whether to allow clients to request their own IPX node numbers. The allow parameter grants such requests. The deny parameter ignores such requests.

Netsh RAS AppleTalk context commands

The following commands are specific to the RAS AppleTalk context within the Netsh environment. The AppleTalk protocol is not available on Windows XP Home Edition or Windows XP Professional.

To view the command syntax, click a command:

dump 

Creates a script that contains the AppleTalk configuration of the remote access server. If you save this script to a file, you can use it to restore AppleTalk configuration settings.

Syntax

dump

Parameters

none

show config

Displays the current AppleTalk configuration of the remote access server.

Syntax

show config

Parameters

none

set negotiation

Specifies whether the remote access server should allow AppleTalk to be configured for any client connections the server accepts.

Syntax

set negotiation {allow | deny}

Parameters

{ allow | deny } : Required. Specifies whether to allow AppleTalk configuration. The allow parameter allows configuration. The deny parameter prevents configuration.

set access

Specifies whether AppleTalk network traffic from any client should be forwarded to the network or networks to which the remote access server is connected.

Syntax

set access {all | serveronly}

Parameters

{ all | serveronly } : Required. Specifies whether to forward AppleTalk network traffic. The all parameter allows traffic to be forwarded. The serveronly parameter prevents traffic from being forwarded.

Netsh RAS AAAA context commands

The following commands are specific to the RAS AAAA context within the Netsh environment.

To view the command syntax, click a command:

dump 

Displays the AAAA configuration of a remote access server in script form.

Syntax

dump

Parameters

none

add acctserv

Specifies the IP address or the DNS name of a RADIUS server to use for accounting and specifies accounting options.

Syntax

add acctserv [name=]ServerID [[secret=]SharedSecret] [[init-score=]ServerPriority] [[port=]Port] [[timeout=]Seconds] [[messages] {enabled | disabled}]

Parameters

[ name =] ServerID   : Required. Specifies, by IP address or DNS name, the RADIUS server.

[ secret =] SharedSecret   : Specifies the shared secret.

[ init-score =] ServerPriority   : Specifies the initial score (server priority).

[ port =] Port   : Specifies the port to which accounting requests should be sent.

[ timeout =] Seconds   : Specifies the timeout period, in seconds, during which the RADIUS server can be idle before it should be marked unavailable.

[ messages ] { enabled | disabled } : Specifies whether to send accounting on/off messages. The enabled parameter specifies that messages should be sent. The disabled parameter specifies that messages should not be sent.

delete acctserv

Deletes a RADIUS accounting server.

Syntax

delete acctserv [name=]ServerID

Parameters

[ name =] ServerID   : Required. Specifies, by DNS name or IP address, which server to delete.

set acctserv

Provides the IP address or the DNS name of a RADIUS server to use for accounting.

Syntax

add acctserv [name=]ServerID [[secret=]SharedSecret] [[init-score=]ServerPriority] [[port=]Port] [[timeout=]Seconds] [[messages] {enabled | disabled}]

Parameters

[ name= ] ServerID   : Required. Specifies, by IP address or DNS name, the RADIUS server.

[ secret= ] SharedSecret   : Specifies the shared secret.

[ init-score= ] ServerPriority   : Specifies the initial score (server priority).

[ port= ] Port   : Specifies the port on which to send the authentication requests.

[ timeout= ] Seconds   : Specifies, in seconds, the amount of time that should elapse before the RADIUS server is marked unavailable.

[ messages= ] { enabled | disabled } : Specifies whether accouting on/off messages should be sent.

show acctserv

Displays detailed information about an accounting server. Used without parameters, show acctserv displays information about all configured accounting servers.

Syntax

show acctserv [[name=]ServerID]

Parameters

[ name =] ServerID   : Specifies, by DNS name or IP address, the RADIUS server about which to display information.

add authserv

Provides the IP address or the DNS name of a RADIUS server to which authentication requests should be passed.

Syntax

add authserv [name=]ServerID [[secret=]SharedSecret] [[init-score=]ServerPriority] [[port=]Port] [[timeout=]Seconds] [[signature] {enabled | disabled}]

Parameters

[ name =] ServerID   : Required. Specifies, by IP address or DNS name, the RADIUS server.

[ secret =] SharedSecret   : Specifies the shared secret.

[ init-score =] ServerPriority   : Specifies the initial score (server priority).

[ port =] Port   : Specifies the port to which authentication requests should be sent.

[ timeout =] Seconds   : Specifies the timeout period, in seconds, during which the RADIUS server can be idle before it should be marked unavailable.

[ signature ] { enabled | disabled } : Specifies whether to use digital signatures. The enabled parameter specifies that digital signatures should be used. The disabled parameter specifies that digital signatures should not be used.

delete authserv

Deletes a RADIUS authentication server.

Syntax

delete authserv [name=]ServerID

Parameters

[ name =] ServerID   : Required. Specifies, by DNS name or IP address, which server to delete.

set authserv

Provides the IP address or the DNS name of a RADIUS server to which authentication requests should be passed.

Syntax

set authserv [name=]ServerID [[secret=]SharedSecret] [[init-score=]ServerPriority] [[port=]Port] [[timeout=]Seconds] [[signature] {enabled | disabled}]

Parameters

[ name= ] ServerID   : Required. Specifies, by IP address or DNS name, the RADIUS server.

[ secret= ] SharedSecret   : Specifies the shared secret.

[ init-score= ] ServerPriority   : Specifies the initial score (server priority).

[ port= ] Port   : Specifies the port on which to send the authentication requests.

[ timeout= ] Seconds   : Specifies the amount of time, in seconds, that should elapse before the RADIUS server is marked unavailable.

[ signature= ] { enabled | disabled } : Specifies whether digital signatures should be used.

show authserv

Displays detailed information about an authentication server. Used without parameters, show authserv displays information about all configured authentication servers.

Syntax

show authserv [[name=]ServerID]

Parameters

[ name =] ServerID   : Specifies, by DNS name or IP address, the RADIUS server about which to display information.

set acco

Specifies the accounting provider.

Syntax

set acco provider {windows | radius | none}

Parameters

provider { windows | radius | none } : Required. Specifies whether accounting should be performed and by which server. The windows parameter specifies that Windows security should perform accounting. The radius parameter specifies that a RADIUS server should perform accounting. The none parameter specifies that no accounting should be performed.

show acco

Displays the accounting provider.

Syntax

show acco

Parameters

none

set authe

Specifies the authentication provider.

Syntax

set authe provider {windows | radius}

Parameters

provider { windows | radius } : Required. Specifies which technology should perform authentication. The windows parameter specifies that Windows security should perform authentication. The radius parameter specifies that a RADIUS server should perform authentication.

show authe

Displays the authentication provider.

Syntax

show authe

Parameters

none

Formatting legend

Format

Meaning

Italic

Information that the user must supply

Bold

Elements that the user must type exactly as shown

Ellipsis (...)

Parameter that can be repeated several times in a command line

Between brackets ([])

Optional items

Between braces ({}); choices separated by pipe (|). Example: {even|odd}

Set of choices from which the user must choose only one

Courier font

Code or program output