The Netsh commands for remote access offer a command-line tool as an alternative to administering the remote access functions in the Routing and Remotea Access Microsoft Management Console (MMC) snap-in.

The following commands are available at the ras prompt within the Netsh environment.

Netsh Commands for RAS in Windows Server 2008

Netsh Commands for RAS in Windows Server 2008 R2

Note
All of the commands for Windows Server 2008 continue to apply to RRAS servers running Windows Server 2008 R2. This section documents new commands for Windows Server 2008 R2 that are not valid on earlier versions of Windows.

Netsh commands for RAS in Windows Server 2008

Add commands

Delete commands

Set commands

Show commands

The following entries provide details for each command.

dump

Displays the configuration of the remote access server in script form.

Syntax

dump

Remarks

  • You can dump the contents of the current configuration to a file that can be used to restore altered configuration settings.

Example

The following commands save the current configuration as a script in the c:\test\rascfg.dmp file.

  • From the command prompt:

    netsh ras dump > c:\test\rascfg.dmp

  • From the netsh ras context prompt:

    set file open c:\test\rascfg.dmp

    dump

    set file close

You can use the netsh exec command to run the script created by the netsh dump command.

add authtype

Adds an authentication type to the list of types that the remote access server uses to negotiate authentication.

Syntax

add authtype

type = ] { PAP | MD5CHAP | MSCHAPv2 | EAP | CERT }

Parameters

type = ] { PAP | MD5CHAP | MSCHAPv2 | EAP | CERT }

Required. Specifies which authentication type to add to the list of types that the remote access server uses to negotiate authentication. The supported authentication types include:
  • PAP: Enables Password Authentication Protocol (PAP). This authentication method sends all information in plaintext.

  • MD5CHAP: Enables Challenge Handshake Authentication Protocol (CHAP), which uses the Message Digest 5 (MD5) hashing scheme to encrypt the response.

  • MSCHAPv2: Enables version 2 of MSCHAP.

  • EAP: Enables Extensible Authentication Protocol (EAP).

  • CERT: Enables certificate-based authentication for use by Internet Key Exchange v2 (IKEv2). This option is available on RRAS servers running Windows Server 2008 R2 only, and applies to client computers running Windows 7 only.

Remarks

  • The remote access server will attempt to negotiate authentication by using protocols in order from the most secure to the least secure. After both the client and the server have agreed on an authentication type, PPP negotiation proceeds according to the appropriate RFCs.

add link

Adds a link property to the list of link properties that PPP negotiates.

Syntax

add link

type = ] { swc | lcp }

Parameters

type = ] { swc | lcp }

Required. Specifies which link property to add to the list of link properties that PPP negotiates.
  • swc: Specifies that software compression (MPPC) is added.

  • lcp: Specifies that Link Control Protocol (LCP) extensions from the PPP suite of protocols is added.

add multilink

Adds a multilink type to the list of multilink types PPP will negotiate.

Syntax

add multilink

type = ] { multi | bacp }

Parameters

type = ] { multi | bacp }

Required. Specifies which multilink type to add to the list of multilink types PPP will negotiate.
  • multi: Specifies that multilink PPP sessions are added.

  • bacp: Specifies that Bandwidth Allocation Control Protocol (BACP) is added.

add registeredserver

Registers the specified server as a remote access server in the specified Active Directory® domain. Used without parameters, add registeredserver registers the computer from which you type the command in its primary domain.

Syntax

add registeredserver

[ [ domain = ] DomainName ]

[ [ server = ] ServerName ]

Parameters

domain = ] DomainName

Specifies the domain in which to register the server. If you do not specify a domain, the server is registered in its primary domain.
server = ] ServerName

Specifies, by DNS name or IPv4 address, the server to register. If you do not specify a server, the computer from which you type the command is registered.

delete authtype

Deletes an authentication type from the list of types that the remote access server should use to negotiate authentication.

Syntax

delete authtype

type = ] { PAP | MD5CHAP | MSCHAPv2 | EAP | CERT }

Parameters

type = ] { PAP | MD5CHAP | mschapv2 | eap | CERT }

Required. Specifies the authentication type to delete from the list of types that the remote access server uses to negotiate authentication.
  • PAP: Disables PAP.

  • MD5CHAP: Disables MD5CHAP.

  • MSCHAPv2: Disables MSCHAPv2.

  • EAP: Disables EAP.

  • CERT: Disables certificate-based authentication for use by IKEv2. This option is available on RRAS servers running Windows Server 2008 R2 only, and applies to client computers running Windows 7 only.

delete link

Deletes a link property from the list of link properties PPP will negotiate.

Syntax

delete link

type = ] { swc | lcp }

Parameters

type = ] { swc | lcp }

Required. Specifies which link property to delete from the list of link properties PPP will negotiate.
  • swc: Specifies that MPPC software compression is deleted.

  • lcp: Specifies that LCP extensions from the PPP suite of protocols is deleted.

delete multilink

Deletes a multilink type from the list of multilink types PPP will negotiate.

Syntax

delete multilink

type = ] {multi | bacp }

Parameters

type = ] { multi | bacp }

Required. Specifies which multilink type to delete from the list of multilink types PPP will negotiate.
  • multi: Specifies that multilink PPP sessions are deleted.

  • bacp: Specifies that BACP is deleted.

delete registeredserver

Deletes the registration of the specified server as a remote access server from the specified Active Directory domain. Used without parameters, delete registeredserver deletes the registration of the computer from which you type the command from its primary domain.

Syntax

delete registeredserver

[ [ domain = ] DomainName ]

[ [ server = ] ServerName ]

Parameters

domain = ] DomainName

Specifies the domain from which to remove the registration. If you do not specify a domain, the registration is removed from the primary domain of the computer from which you type the command.
server = ] ServerName ]

Specifies, by IP address or DNS name, the server whose registration you want to remove. If you do not specify a server, the registration is removed for the computer from which you type the command.

set authmode

Specifies whether dial-up clients using certain types of devices should be authenticated.

Syntax

set authmode

mode = ] { standard | nodcc | bypass }

Parameters

mode = ] { standard | nodcc | bypass }

Required. Specifies whether dial-up clients using certain types of devices should be authenticated.
  • standard specifies that clients using any type of device should be authenticated.

  • nodcc specifies that clients using any type of device except a direct-connect device should be authenticated.

  • bypass specifies that no clients should be authenticated.

set client

Resets the user statistics and disconnects a remote access client.

Syntax

set client

name = ] ClientName

state = ] { disconnect | resetstats }

Parameters

name = ] ClientName

Required. Specifies the user name of the client to disconnect or reset statistics.
state =  ] { disconnect | resetstats }

Required. Specifies the action to perform. The parameter disconnect disconnects the specified user. The parameter resetstats resets the statistics for the specified user.

set conf

Sets the remote access configuration state of the server.

Syntax

set conf

confstate = ] { enabled | disabled }

Parameters

confstate = ] { enabled | disabled }

Required. Specifies the remote access configuration state.
  • enabled: Enables the server configuration.

  • disabled: Disables the server configuration and removes the server from the list of remote access servers.

set portstatus

Resets the RAS ports statistics.

Syntax

set portstatus

[ [ name = ] PortName ]

Parameters

name = ] PortName

Specifies the name of the port. If none is specified, resets statistics of all active ports.

set tracing

Enables or disables tracing for the specified component.

Syntax

set tracing

component = ] component

state = ] { enabled | disabled }

Parameters

component = ] Component

Required. Specifies the component for which you want to enable or disable tracing. Use "*" to specify all components.
state = ] { enabled | disabled }

Required. Specifies whether to enable or disable tracing for the specified component.

Remarks

  • To see a list of all installed components, use the show tracing command without parameters.

Example

To set tracing for the PPP component, type:

set tracing ppp enabled

set type

Specifies the types of routing that are enabled, and whether remote access is enabled.

Syntax

set type

ipv4rtrtype = ] { lanonly | lananddd | none }

ipv6rtrtype = ] { lanonly | lananddd | none }

rastype = ] { ipv4 | ipv6 | both | none }

Parameters

ipv4rtrtype = ] { lanonly | lananddd | none }

Specifies that the computer is configured as an IPv4 router. The lanonly parameter specifies that this computer is a LAN-only router and does not support demand-dial or VPN connections to remote networks. The lananddd parameter specifies that this computer is both a LAN and demand-dial router and supports VPN connections to remote networks. The none parameter specifies that this computer is not enabled as an IPv4 router.
ipv6rtrtype = ] { lanonly | lananddd | none }

Specifies that the computer is configured as an IPv6 router.
  • lanonly specifies that this computer is a LAN-only router and does not support demand-dial or VPN connections to remote networks.

  • lananddd specifies that this computer is a LAN and demand-dial router and supports VPN connections to remote networks.

  • none specifies that this computer is not enabled as an IPv6 router.

rastype = ] { ipv4 | ipv6 | both | none }

Specifies that the computer is configured as a remote access server.
  • ipv4 specifies that the computer accepts IPv4-based remote access connections.

  • ipv6 specifies that the computer accepts IPv6-based remote access connections.

  • both specifies that the computer accepts remote access connections for both IPv4 and IPv6.

  • none specifies that the computer is not configured as a remote access server.

set user

Sets the properties of the specified remote access user.

Syntax

set user

name = ] UserName

dialin = ] { permit | deny | policy }

[ [ cbpolicy = ] { none | caller | admin }

cbnumber = ] CallbackNumber ]

Parameters

name = ] UserName

Required. Specifies, by logon name, the user for which you want to set properties.
dialin = ] { permit | deny | policy }

Required. Specifies the circumstances under which the user is allowed to connect.
  • permit specifies that the user is allowed to connect.

  • deny specifies that the user is not allowed to connect.

  • policy specifies that remote access policies determine whether the user is allowed to connect.

cbpolicy = ] { none | caller | admin } [ cbnumber = ] CallbackNumber

Specifies the callback policy for the user. The callback feature saves the user the cost of the phone call used to connect to a remote access server.
  • none specifies that the user is not called back.

  • caller specifies that the user is called back at a number specified by the user at connection time.

  • admin specifies that the user is called back at the number specified by the CallbackNumber parameter.

Remarks

  • The policy option is not available for users that belong to a mixed-mode domain. For users in a mixed-mode domain, the policy parameter and the deny parameter are equivalent.

Example

To allow User1 to connect and be called back at (425) 555-0110, type:

set user user1 dialin=permit cbpolicy=admin cbnumber=4255550110

show activeservers

Displays a list of remote access server (RAS) advertisements.

Syntax

show activeservers

show authmode

Shows whether dial-up clients using certain types of devices should be authenticated.

Syntax

show authmode

show authtype

Lists the authentication type (or types) that the remote access server uses to attempt to negotiate authentication.

Syntax

show authtype

show client

Lists remote access clients connected to this server.

Syntax

show client

[ [ name = ] ClientName ]

Parameters

name = ] ClientName

Shows the status of a given client connected to the server. If this parameter is "*", show client enumerates the status of all clients. If no name is specified, show client shows which, if any, remote access clients are connected to the server.

show conf

Shows the remote access configuration state of the server.

Syntax

show conf

show link

Displays the link properties PPP will negotiate.

Syntax

show link

show multilink

Shows the multilink types PPP will negotiate.

Syntax

show multilink

show portstatus

Shows the current status of RAS ports.

Syntax

show portstatus

[ [ name = ] PortName ]

[ [ state = ] { nonoperational | disconnected | callingback | listening | authenticating | connected | initializing } ]

Parameters

name = ] PortName

Specifies the port for which to display status.
state = ] { nonoperational | disconnected | callingback | listening | authenticating | connected | initializing } ]

Display ports with the specified state.

Examples

The following show the port status using the name and state parameters.

show portstatus name=VPN0-127

show portstatus state=connected

show registeredserver

Displays status information about the specified server registered as a remote access server in the specified Active Directory domain. Used without parameters, it displays the registration status of the local computer.

Syntax

show registeredserver

[ [ domain = ] DomainName ]

[ [ server = ] ServerName ]

Parameters

domain = ] DomainName

Specifies the domain in which the server about which you want to display information is registered. If you do not specify a domain, the primary domain of the computer from which the command is issued is assumed.
server = ] ServerName

Specifies, by IP address or DNS name, the server about which you want to display information. If you do not specify a server, the computer from which the command is issued is assumed.

show status

Shows the status of a server running Routing and Remote Access.

Syntax

show status

show tracing

Shows whether tracing is enabled for the specified component. To see a list of all installed components and whether tracing is enabled for each, use the show tracing command without parameters.

Syntax

show tracing

[ [ component = ] component ]

Parameters

component = ] component

Specifies the component for which to display information. If no component is specified, show tracing shows the state of all installed components.

show type

Shows the types of routing that are enabled and whether remote access is enabled.

Syntax

show type

show user

Displays the properties of a specified remote access user or users. Used without parameters, show user displays the properties of all remote access users.

Syntax

show user

[ [ name = ] UserName

mode = ] { permit | report } ]

Parameters
name = ] UserName

Specifies, by logon name, the user whose properties you want to display. If you do not specify a user, the properties of all users are displayed.
mode = ] { permit | report }

Specifies whether to show properties for all users or only those whose network access (dial-up) permission is set to permit.
  • permit: Specifies that properties are displayed only for users that have network access (dial-up) permission.

  • report (default): Specifies that properties are displayed for all users.

Netsh commands for RAS in Windows Server 2008 R2

Note
The commands in this section are new to RRAS in Windows Server 2008 R2, and are not available in previous versions of Windows.

Set commands

Show commands

set ikev2connection

Sets the idle timeout and network outage values for IKEv2-based VPN client connections.

Syntax

set ikev2connection

idletimeout = ] integer

nwoutagetime = ] integer

Parameters

idletimeout = ] integer

Specifies the time, in minutes, that the VPN client can remain idle before it is disconnected by the RRAS server. The value can range from a minimum of 5 minutes to a maximum of 2879 minutes (less than 48 hours).
nwoutagetime = ] integer

Specifies the time, in minutes, that the VPN client tolerates a network outage before dropping the connection. The minimum value is 2 minutes.

set ikev2saexpiry

Sets the time and data limits on an IKEv2-based security association (SA).

Syntax

set ikev2saexpiry

saexpirytime = ] integer

sadatasizelimit = ] integer

Parameters

saexpirytime = ] integer

Specifies the time, in minutes, that an IKEv2-based SA is allowed to exist before the SA must be renegotiated. The value can range from a minimum of 5 minutes to a maximum of 2879 minutes (less than 48 hours).
sadatasizelimit = ] integer

Specifies the amount of data, in megabytes (MB), that can be transferred through an IKEv2-based SA before the SA must be renegotiated. The minimum value is 1 MB.

set sstp-ssl-cert

Sets the certificate configuration to be used by SSTP connections. You can specify the certificate by its name or its SHA-1 hash value.

Syntax

set sstp-ssl-cert

[ [ name = ] { certname | default } ]

[ [ hash = ] hash ]

Parameters

name = ] { certname | default }

Specifies the name of the certificate to be used for SSTP connections. If you specify default, then SSTP is reset to its default configuration.
hash = ] hash

Specifies the SHA-1 hash of the certificate to be used for SSTP connections.

set wanports

Configure RRAS port options.

Syntax

set wanports

device = ] devicename

[ [ rasinonly = ] { enabled | disabled } ]

[ [ ddinout = ] { enabled | disabled } ]

[ [ ddoutonly = ] { enabled | disabled } ]

[ [ phone = ] phonenumber ]

[ [ maxports = ] integer ]

Parameters

device = ] devicename

Specifies the device name of the port. Typical entries available in Windows include:
  • WAN Miniport (SSTP)

  • WAN Miniport (PPTP)

  • WAN Miniport (PPPOE)

  • WAN Miniport (L2TP)

  • WAN Miniport (IKEv2)

rasinonly = ] { enabled | disabled }

Specifies whether the specified port type accepts inbound remote access connections.
ddinout = ] { enabled | disabled }

Specifies whether the specified port type can be used for both inbound and outbound routing connections.
ddoutonly = ] { enabled | disabled }

Specifies whether the specified port type is usable only for outbound routing connections.
phone = ] phonenumber

Specifies the destination of the outbound routing connection. If the port is attached to a modem or ISDN device, then it specifies a phone number. If the port is direct connected to a network, then it specifies the IPv4 or IPv6 address of the destination router.
maxports = ] integer

Specifies the maximum number of ports for the specified device type.

show ikev2connection

Shows the idle timeout and network outage times for IKEv2 client connections.

Syntax

show ikev2connection

show ikev2saexpiry

Shows the time and data limits for IKEv2 security associations (SAs).

Syntax

show ikev2saexpiry

show sstp-ssl-cert

Shows the current SSTP certificate configuration.

Syntax

show sstp-ssl-cert

show wanports

Shows the current configuration for a specified WAN port type.

Syntax

show wanports

device = ] devicename

Parameters

device = ] devicename

Specifies the device name of the port. Typical entries available in Windows include:
  • WAN Miniport (SSTP)

  • WAN Miniport (PPTP)

  • WAN Miniport (PPPOE)

  • WAN Miniport (L2TP)

  • WAN Miniport (IKEv2)