Share via

Network Policy Commands

  • Article

Applies To: Windows Server 2008

This section contains the following commands:

  • add np

  • delete np

  • rename np

  • reset np

  • set np

  • show np

  • show npconditionattributes

  • show npprofileattributes

For information on how to interpret netsh command syntax, see Formatting Legend.

Network Policy commands

The following entries provide details for each command.

add np

Adds a network policy to the Network Policy Server (NPS) configuration.

Syntax

add np [ name = ] name [ [ state = ] Enable | Disable [ processingorder = ] processingorder [ policysource = ] policysource [ conditionid = ] conditionid [ conditiondata = ] conditiondata [ profileid = ] profileid ([ advprofiletype = ] type [ advprofiledata = ] data ) [ profiledata = ] profiledata ]

Parameters

  • name
    Required. Specifies the name of the network policy that you want to add.
  • state
    Optional. Specifies whether the network policy is enabled or disabled. The default is enabled.
  • processingorder
    Optional. Specifies the numeric position of this policy in the list of policies configured in NPS. Policies highest in the list (for example, at first position) are processed by NPS first. Policies added at positions above other policies cause the positions of the other policies to drop in the list by one position. If processingorder is not specified, the policy is added at the end of the list.
  • policysource
    Optional. Specifies the type of RADIUS client that can send connection requests that match this policy. An integer value of zero through five must be used to designate the type of RADIUS client that is allowed for the policy. The default value of zero allows connection requests from any type of RADIUS client. See the Remarks section for all valid values.

  • conditionid
    Required. Specifies the condition attribute name or ID that you want to configure in this network policy.

    You can view the list of available condition attributes at the netsh prompt by running the show npconditionattributes command. See the section "NPS attributes" for more information.

  • profileid
    Optional. Specifies an attribute that you want to add to the network policy. Use profiledata to specify the value of the attribute defined by profileid. In addition, each profileid that you specify can be followed by multiple pairs of parameters named advprofiletype and advprofiledata. The syntax for these parameters is:

    [advprofiletype= ] type [advprofiledata=] data

    You can view the list of available settings attributes at the netsh prompt by running the show npprofileattributes command.

    See the Remarks section and "NPS attributes" for more information.

  • advprofiletype
    Optional. Specifies an attribute that you want to add to the network policy. This parameter is a sub-parameter of and must be preceded by the profileid parameter. Use advprofiledata to add values for the attribute defined with advprofiletype.
  • advprofiledata
    Optional. Specifies the value of the attribute defined with advprofiletype. This parameter is a sub-parameter of and must be preceded by the profileid parameter. In addition, you must specify advprofiletype when you use advprofiledata.

  • profiledata
    Optional. Specifies the value of the attribute defined with profileid. For example, if the attribute specified in profileid is NP-Authentication-Type (0x1009), the value of profiledata might be 0x3 (MS-CHAP v1) or 0x4 (MS-CHAP v2). In cases where multiple values are allowed for an attribute, they can be listed:

    profileid = "0x1009" profiledata = "0x3" profiledata = "0x4" profiledata = "0x9" profiledata = "0xa"

Remarks on authentication methods

Network policy is configured by default with the following authentication method settings:

  • Microsoft Encrypted Authentication version 2 (MS-CHAP v2, profiledata=0x4) and User can change password after it has expired (profiledata=0xa)

  • Microsoft Encrypted Authentication (MS-CHAP, profiledata=0x3) and User can change password after it has expired (profiledata=0x9)

In the NPS console, these authentication settings are located on the Settings tab of network policies under Constraints and Authentication Methods.

Remarks on policysource

For policysource, valid values are:

ID Policy Source

0

Unspecified (default)

1

Terminal Services Gateway

2

Remote Access Server (VPN or Dial-up)

3

DHCP server

4

Wireless Access Point

5

Health Registration Authority

Remarks on configuring IP filters

You can use the profileid, advprofiletype, and advprofiledata parameters to configure IP filters for the network policy that you add. For more information, see the section "Configuring IP filters with Netsh NPS commands."

delete np

Deletes the specified network policy.

Syntax

delete np [ name = ] name

Parameters

  • name
    Required. Specifies the name of the network policy that you want to delete.

Example

The following examples delete a network policy named NP1 from the NPS server configuration.

delete np name = NP1

delete np NP1

rename np

Changes the name of a network policy.

Syntax

rename np [ name = ] name [ newname = ] newname

Parameters

  • name
    Required. Specifies the network policy that you want to rename.
  • newname
    Required. Specifies the new name for the network policy.

Examples

The following examples rename a network policy from NP1 to NP2. The examples demonstrate that the command can be run with the parameter tags, such as name=, and without them.

rename np name = NP1 newname = NP2

rename np NP1 NP2

reset np

Deletes all network policies that are configured in NPS and restores the default network policy.

Warning

Do not run this command if you want to maintain any of the network policies that you have configured at the NPS server. This command deletes all network policies that you have configured, and after running this command, your network policies cannot be recovered. Before you run this command, it is recommended that you use the export command to save the NPS server configuration to an XML file.

Syntax

reset np

set np

Changes the value of one or more properties of an existing network policy. Values specified by this command overwrite the existing values.

Syntax

set np [ name = ] name [ [ state = ] Enable | Disable [ processingorder = ] processingorder [ policysource = ] policysource [ conditionid = ] conditionid [ conditiondata = ] conditiondata [ profileid = ] profileid ([ advprofiletype = ] type [ advprofiledata = ] data ) [ profiledata = ] profiledata ]

Parameters

  • name
    Required. Specifies the name of the network policy that you want to add.
  • state
    Optional. Specifies whether the network policy is enabled or disabled. The default is enabled.
  • processingorder
    Optional. Specifies the numeric position of this policy in the list of policies configured in NPS. Policies highest in the list (for example, at first position) are processed by NPS first. Policies added at positions above other policies cause the positions of the other policies to drop in the list by one position. If processingorder is not specified, the policy is added at the end of the list.
  • policysource
    Optional. Specifies the type of RADIUS client that can send connection requests that match this policy. An integer value of zero through five must be used to designate the type of RADIUS client that is allowed for the policy. The default value of zero allows connection requests from any type of RADIUS client. See the Remarks section for all valid values.

  • conditionid
    Required. Specifies the condition attribute name or ID that you want to configure in this network policy.

    You can view the list of available condition attributes at the netsh prompt by running the show npconditionattributes command. See the section "NPS attributes" for more information.

  • profileid
    Optional. Specifies an attribute that you want to add to the network policy. Use profiledata to specify the value of the attribute defined by profileid. In addition, each profileid that you specify can be followed by multiple pairs of parameters named advprofiletype and advprofiledata. The syntax for these parameters is:

    [advprofiletype= ] type [advprofiledata=] data

    You can view the list of available settings attributes at the netsh prompt by running the show npprofileattributes command.

    See the Remarks section and "NPS attributes" for more information.

  • advprofiletype
    Optional. Specifies an attribute that you want to add to the network policy. This parameter is a sub-parameter of and must be preceded by the profileid parameter. Use advprofiledata to add values for the attribute defined with advprofiletype.
  • advprofiledata
    Optional. Specifies the value of the attribute defined with advprofiletype. This parameter is a sub-parameter of and must be preceded by the profileid parameter. In addition, you must specify advprofiletype when you use advprofiledata.

  • profiledata
    Optional. Specifies the value of the attribute defined with profileid. For example, if the attribute specified in profileid is NP-Authentication-Type (0x1009), the value of profiledata might be 0x3 (MS-CHAP v1) or 0x4 (MS-CHAP v2). In cases where multiple values are allowed for an attribute, they can be listed:

    profileid = "0x1009" profiledata = "0x3" profiledata = "0x4" profiledata = "0x9" profiledata = "0xa"

Remarks on authentication methods

Network policy is configured by default with the following authentication method settings:

  • Microsoft Encrypted Authentication version 2 (MS-CHAP v2, profiledata=0x4) and User can change password after it has expired (profiledata=0xa)

  • Microsoft Encrypted Authentication (MS-CHAP, profiledata=0x3) and User can change password after it has expired (profiledata=0x9)

In the NPS console, these authentication settings are located on the Settings tab of network policies under Constraints and Authentication Methods.

Remarks on policysource

For policysource, valid values are:

ID Policy Source

0

Unspecified (default).

1

Terminal Services Gateway.

2

Remote Access Server (VPN or Dial up).

3

DHCP server.

4

Wireless Access Point.

5

Health Registration Authority.

Remarks on configuring IP filters

You can use the profileid, advprofiletype, and advprofiledata parameters to configure IP filters for the network policy that you want to modify. For more information, see the section "Configuring IP filters with Netsh NPS commands."

show np

Displays the full configuration of a network policy, including all of the conditions, settings, and attributes configured in the policy.

Syntax

show np

show npconditionattributes

Displays the list of attributes that you can add to the conditions of a network policy.

Syntax

show npconditionattributes

show npprofileattributes

Displays the list of attributes that you can add to the settings of a network policy.

Syntax

show npprofileattributes

See Also

Concepts

NPS Server Commands
RADIUS Client Commands
Connection Request Policy Commands
Remote RADIUS Server Group Commands
Configuring a Network Policy to Grant Access
Network Access Protection Commands for NPS
Accounting Commands
Configuring IP Filters with Netsh NPS Commands
NPS Attributes