Netsh RAS Commands

Applies To: Windows Server 2008, Windows Server 2008 R2

The Netsh commands for remote access offer a command-line tool as an alternative to administering the remote access functions in the Routing and Remotea Access Microsoft Management Console (MMC) snap-in.

The following commands are available at the ras prompt within the Netsh environment.

• dump

Netsh commands for RAS in Windows Server 2008

Netsh commands for RAS in Windows Server 2008 R2

Add commands

• add authtype

• add link

• add multilink

• add registeredserver

Delete commands

• delete authtype

• delete link

• delete multilink

• delete registeredserver

Set commands

• set authmode

• set client

• set conf

• set portstatus

• set tracing

• set type

• set user

Show commands

• show activeservers

• show authmode

• show authtype

• show client

• show conf

• show link

• show multilink

• show portstatus

• show registeredserver

• show status

• show tracing

• show type

• show user

The following entries provide details for each command.

Displays the configuration of the remote access server in script form.

dump

• You can dump the contents of the current configuration to a file that can be used to restore altered configuration settings.

The following commands save the current configuration as a script in the c:\test\rascfg.dmp file.

• From the command prompt:

  netsh ras dump > c:\test\rascfg.dmp

• From the netsh ras context prompt:

  set file open c:\test\rascfg.dmp

  dump

  set file close

You can use the netsh exec command to run the script created by the netsh dump command.

Adds an authentication type to the list of types that the remote access server uses to negotiate authentication.

add authtype

[ type = ] { PAP | MD5CHAP | MSCHAPv2 | EAP | CERT }

• [ type = ] { PAP | MD5CHAP | MSCHAPv2 | EAP | CERT }
  Required. Specifies which authentication type to add to the list of types that the remote access server uses to negotiate authentication. The supported authentication types include:

  • PAP: Enables Password Authentication Protocol (PAP). This authentication method sends all information in plaintext.

  • MD5CHAP: Enables Challenge Handshake Authentication Protocol (CHAP), which uses the Message Digest 5 (MD5) hashing scheme to encrypt the response.

  • MSCHAPv2: Enables version 2 of MSCHAP.

  • EAP: Enables Extensible Authentication Protocol (EAP).

  • CERT: Enables certificate-based authentication for use by Internet Key Exchange v2 (IKEv2). This option is available on RRAS servers running Windows Server 2008 R2 only, and applies to client computers running Windows 7 only.

• The remote access server will attempt to negotiate authentication by using protocols in order from the most secure to the least secure. After both the client and the server have agreed on an authentication type, PPP negotiation proceeds according to the appropriate RFCs.

Adds a link property to the list of link properties that PPP negotiates.

add link

[ type = ] { swc | lcp }

• [ type = ] { swc | lcp }
  Required. Specifies which link property to add to the list of link properties that PPP negotiates.

  • swc: Specifies that software compression (MPPC) is added.

  • lcp: Specifies that Link Control Protocol (LCP) extensions from the PPP suite of protocols is added.

Adds a multilink type to the list of multilink types PPP will negotiate.

add multilink

[ type = ] { multi | bacp }

• [ type = ] { multi | bacp }
  Required. Specifies which multilink type to add to the list of multilink types PPP will negotiate.

  • multi: Specifies that multilink PPP sessions are added.

  • bacp: Specifies that Bandwidth Allocation Control Protocol (BACP) is added.

Registers the specified server as a remote access server in the specified Active Directory® domain. Used without parameters, add registeredserver registers the computer from which you type the command in its primary domain.

add registeredserver

[ [ domain = ] DomainName ]

[ [ server = ] ServerName ]

• [ domain = ] DomainName
  Specifies the domain in which to register the server. If you do not specify a domain, the server is registered in its primary domain.

• [ server = ] ServerName
  Specifies, by DNS name or IPv4 address, the server to register. If you do not specify a server, the computer from which you type the command is registered.

Deletes an authentication type from the list of types that the remote access server should use to negotiate authentication.

delete authtype

[ type = ] { PAP | MD5CHAP | MSCHAPv2 | EAP | CERT }

• [ type = ] { PAP | MD5CHAP | mschapv2 | eap | CERT }
  Required. Specifies the authentication type to delete from the list of types that the remote access server uses to negotiate authentication.

  • PAP: Disables PAP.

  • MD5CHAP: Disables MD5CHAP.

  • MSCHAPv2: Disables MSCHAPv2.

  • EAP: Disables EAP.

  • CERT: Disables certificate-based authentication for use by IKEv2. This option is available on RRAS servers running Windows Server 2008 R2 only, and applies to client computers running Windows 7 only.

Deletes a link property from the list of link properties PPP will negotiate.

delete link

[ type = ] { swc | lcp }

• [ type = ] { swc | lcp }
  Required. Specifies which link property to delete from the list of link properties PPP will negotiate.

  • swc: Specifies that MPPC software compression is deleted.

  • lcp: Specifies that LCP extensions from the PPP suite of protocols is deleted.

Deletes a multilink type from the list of multilink types PPP will negotiate.

delete multilink

[ type = ] {multi | bacp }

• [ type = ] { multi | bacp }
  Required. Specifies which multilink type to delete from the list of multilink types PPP will negotiate.

  • multi: Specifies that multilink PPP sessions are deleted.

  • bacp: Specifies that BACP is deleted.

Deletes the registration of the specified server as a remote access server from the specified Active Directory domain. Used without parameters, delete registeredserver deletes the registration of the computer from which you type the command from its primary domain.

delete registeredserver

[ [ domain = ] DomainName ]

[ [ server = ] ServerName ]

• [ domain = ] DomainName
  Specifies the domain from which to remove the registration. If you do not specify a domain, the registration is removed from the primary domain of the computer from which you type the command.

• [ server = ] ServerName ]
  Specifies, by IP address or DNS name, the server whose registration you want to remove. If you do not specify a server, the registration is removed for the computer from which you type the command.

Specifies whether dial-up clients using certain types of devices should be authenticated.

set authmode

[ mode = ] { standard | nodcc | bypass }

• [ mode = ] { standard | nodcc | bypass }
  Required. Specifies whether dial-up clients using certain types of devices should be authenticated.

  • standard specifies that clients using any type of device should be authenticated.

  • nodcc specifies that clients using any type of device except a direct-connect device should be authenticated.

  • bypass specifies that no clients should be authenticated.

Resets the user statistics and disconnects a remote access client.

set client

[ name = ] ClientName

[ state = ] { disconnect | resetstats }

• [ name = ] ClientName
  Required. Specifies the user name of the client to disconnect or reset statistics.

• **[ state = ** ] { disconnect | resetstats }
  Required. Specifies the action to perform. The parameter disconnect disconnects the specified user. The parameter resetstats resets the statistics for the specified user.

Sets the remote access configuration state of the server.

set conf

[ confstate = ] { enabled | disabled }

• [ confstate = ] { enabled | disabled }
  Required. Specifies the remote access configuration state.

  • enabled: Enables the server configuration.

  • disabled: Disables the server configuration and removes the server from the list of remote access servers.

Resets the RAS ports statistics.

set portstatus

[ [ name = ] PortName ]

• [ name = ] PortName
  Specifies the name of the port. If none is specified, resets statistics of all active ports.

Enables or disables tracing for the specified component.

set tracing

[ component = ] component

[ state = ] { enabled | disabled }

• [ component = ] Component
  Required. Specifies the component for which you want to enable or disable tracing. Use "*" to specify all components.

• [ state = ] { enabled | disabled }
  Required. Specifies whether to enable or disable tracing for the specified component.

• To see a list of all installed components, use the show tracing command without parameters.

To set tracing for the PPP component, type:

set tracing ppp enabled

Specifies the types of routing that are enabled, and whether remote access is enabled.

set type

[ ipv4rtrtype = ] { lanonly | lananddd | none }

[ ipv6rtrtype = ] { lanonly | lananddd | none }

[ rastype = ] { ipv4 | ipv6 | both | none }

• [ ipv4rtrtype = ] { lanonly | lananddd | none }
  Specifies that the computer is configured as an IPv4 router. The lanonly parameter specifies that this computer is a LAN-only router and does not support demand-dial or VPN connections to remote networks. The lananddd parameter specifies that this computer is both a LAN and demand-dial router and supports VPN connections to remote networks. The none parameter specifies that this computer is not enabled as an IPv4 router.

• [ ipv6rtrtype = ] { lanonly | lananddd | none }
  Specifies that the computer is configured as an IPv6 router.

  • lanonly specifies that this computer is a LAN-only router and does not support demand-dial or VPN connections to remote networks.

  • lananddd specifies that this computer is a LAN and demand-dial router and supports VPN connections to remote networks.

  • none specifies that this computer is not enabled as an IPv6 router.

• [ rastype = ] { ipv4 | ipv6 | both | none }
  Specifies that the computer is configured as a remote access server.

  • ipv4 specifies that the computer accepts IPv4-based remote access connections.

  • ipv6 specifies that the computer accepts IPv6-based remote access connections.

  • both specifies that the computer accepts remote access connections for both IPv4 and IPv6.

  • none specifies that the computer is not configured as a remote access server.

Sets the properties of the specified remote access user.

set user

[ name = ] UserName

[ dialin = ] { permit | deny | policy }

[ [ cbpolicy = ] { none | caller | admin }

[ cbnumber = ] CallbackNumber ]

• [ name = ] UserName
  Required. Specifies, by logon name, the user for which you want to set properties.

• [ dialin = ] { permit | deny | policy }
  Required. Specifies the circumstances under which the user is allowed to connect.

  • permit specifies that the user is allowed to connect.

  • deny specifies that the user is not allowed to connect.

  • policy specifies that remote access policies determine whether the user is allowed to connect.

• [ cbpolicy = ] { none | caller | admin } [ cbnumber = ] CallbackNumber
  Specifies the callback policy for the user. The callback feature saves the user the cost of the phone call used to connect to a remote access server.

  • none specifies that the user is not called back.

  • caller specifies that the user is called back at a number specified by the user at connection time.

  • admin specifies that the user is called back at the number specified by the CallbackNumber parameter.

• The policy option is not available for users that belong to a mixed-mode domain. For users in a mixed-mode domain, the policy parameter and the deny parameter are equivalent.

To allow User1 to connect and be called back at (425) 555-0110, type:

set user user1 dialin=permit cbpolicy=admin cbnumber=4255550110

Displays a list of remote access server (RAS) advertisements.

show activeservers

Shows whether dial-up clients using certain types of devices should be authenticated.

show authmode

Lists the authentication type (or types) that the remote access server uses to attempt to negotiate authentication.

show authtype

Lists remote access clients connected to this server.

show client

[ [ name = ] ClientName ]

• [ name = ] ClientName
  Shows the status of a given client connected to the server. If this parameter is "*", show client enumerates the status of all clients. If no name is specified, show client shows which, if any, remote access clients are connected to the server.

Shows the remote access configuration state of the server.

show conf

Displays the link properties PPP will negotiate.

show link

Shows the multilink types PPP will negotiate.

show multilink

Shows the current status of RAS ports.

show portstatus

[ [ name = ] PortName ]

[ [ state = ] { nonoperational | disconnected | callingback | listening | authenticating | connected | initializing } ]

• [ name = ] PortName
  Specifies the port for which to display status.

• [ state = ] { nonoperational | disconnected | callingback | listening | authenticating | connected | initializing } ]
  Display ports with the specified state.

The following show the port status using the name and state parameters.

show portstatus name=VPN0-127

show portstatus state=connected

Displays status information about the specified server registered as a remote access server in the specified Active Directory domain. Used without parameters, it displays the registration status of the local computer.

show registeredserver

[ [ domain = ] DomainName ]

[ [ server = ] ServerName ]

• [ domain = ] DomainName
  Specifies the domain in which the server about which you want to display information is registered. If you do not specify a domain, the primary domain of the computer from which the command is issued is assumed.

• [ server = ] ServerName
  Specifies, by IP address or DNS name, the server about which you want to display information. If you do not specify a server, the computer from which the command is issued is assumed.

Shows the status of a server running Routing and Remote Access.

show status

Shows whether tracing is enabled for the specified component. To see a list of all installed components and whether tracing is enabled for each, use the show tracing command without parameters.

show tracing

[ [ component = ] component ]

• [ component = ] component
  Specifies the component for which to display information. If no component is specified, show tracing shows the state of all installed components.

Shows the types of routing that are enabled and whether remote access is enabled.

show type

Displays the properties of a specified remote access user or users. Used without parameters, show user displays the properties of all remote access users.

show user

[ [ name = ] UserName

[ mode = ] { permit | report } ]

• [ name = ] UserName
  Specifies, by logon name, the user whose properties you want to display. If you do not specify a user, the properties of all users are displayed.

• [ mode = ] { permit | report }
  Specifies whether to show properties for all users or only those whose network access (dial-up) permission is set to permit.

  • permit: Specifies that properties are displayed only for users that have network access (dial-up) permission.

  • report (default): Specifies that properties are displayed for all users.

Set commands

• set ikev2connection

• set ikev2saexpiry

• set sstp-ssl-cert

• set wanports

Show commands

• show ikev2connection

• show ikev2saexpiry

• show sstp-ssl-cert

• show wanports

Sets the idle timeout and network outage values for IKEv2-based VPN client connections.

set ikev2connection

[ idletimeout = ] integer

[ nwoutagetime = ] integer

• [ idletimeout = ] integer
  Specifies the time, in minutes, that the VPN client can remain idle before it is disconnected by the RRAS server. The value can range from a minimum of 5 minutes to a maximum of 2879 minutes (less than 48 hours).

• [ nwoutagetime = ] integer
  Specifies the time, in minutes, that the VPN client tolerates a network outage before dropping the connection. The minimum value is 2 minutes.

Sets the time and data limits on an IKEv2-based security association (SA).

set ikev2saexpiry

[ saexpirytime = ] integer

[ sadatasizelimit = ] integer

• [ saexpirytime = ] integer
  Specifies the time, in minutes, that an IKEv2-based SA is allowed to exist before the SA must be renegotiated. The value can range from a minimum of 5 minutes to a maximum of 2879 minutes (less than 48 hours).

• [ sadatasizelimit = ] integer
  Specifies the amount of data, in megabytes (MB), that can be transferred through an IKEv2-based SA before the SA must be renegotiated. The minimum value is 1 MB.

Sets the certificate configuration to be used by SSTP connections. You can specify the certificate by its name or its SHA-1 hash value.

set sstp-ssl-cert

[ [ name = ] { certname | default } ]

[ [ hash = ] hash ]

• [ name = ] { certname | default }
  Specifies the name of the certificate to be used for SSTP connections. If you specify default, then SSTP is reset to its default configuration.

• [ hash = ] hash
  Specifies the SHA-1 hash of the certificate to be used for SSTP connections.

Configure RRAS port options.

set wanports

[ device = ] devicename

[ [ rasinonly = ] { enabled | disabled } ]

[ [ ddinout = ] { enabled | disabled } ]

[ [ ddoutonly = ] { enabled | disabled } ]

[ [ phone = ] phonenumber ]

[ [ maxports = ] integer ]

• [ device = ] devicename
  Specifies the device name of the port. Typical entries available in Windows include:

  • WAN Miniport (SSTP)

  • WAN Miniport (PPTP)

  • WAN Miniport (PPPOE)

  • WAN Miniport (L2TP)

  • WAN Miniport (IKEv2)

• [ rasinonly = ] { enabled | disabled }
  Specifies whether the specified port type accepts inbound remote access connections.

• [ ddinout = ] { enabled | disabled }
  Specifies whether the specified port type can be used for both inbound and outbound routing connections.

• [ ddoutonly = ] { enabled | disabled }
  Specifies whether the specified port type is usable only for outbound routing connections.

• [ phone = ] phonenumber
  Specifies the destination of the outbound routing connection. If the port is attached to a modem or ISDN device, then it specifies a phone number. If the port is direct connected to a network, then it specifies the IPv4 or IPv6 address of the destination router.

• [ maxports = ] integer
  Specifies the maximum number of ports for the specified device type.

Shows the idle timeout and network outage times for IKEv2 client connections.

show ikev2connection

Shows the time and data limits for IKEv2 security associations (SAs).

show ikev2saexpiry

Shows the current SSTP certificate configuration.

show sstp-ssl-cert

Shows the current configuration for a specified WAN port type.

show wanports

[ device = ] devicename

• [ device = ] devicename
  Specifies the device name of the port. Typical entries available in Windows include:

  • WAN Miniport (SSTP)

  • WAN Miniport (PPTP)

  • WAN Miniport (PPPOE)

  • WAN Miniport (L2TP)

  • WAN Miniport (IKEv2)