阅读说明：本技术 一种通信方法、装置和系统 (communication method, device and system ) 是由 刘明 闫锐 袁乃华 陈贵荣 范晨 于 2018-06-11 设计创作，主要内容包括：本发明公开了一种通信方法、装置和系统。包括：CPE设备判断通过LAN端口接入的终端是否已经认证通过；如果终端已经认证通过,则CPE设备转发终端和专用网络之间的交互通信信息；如果终端没有认证,则CPE设备利用认证服务器对终端进行认证。本发明的通信方法、装置和系统,利用LTE网络中的认证服务器,对接入LTE网络的CPE设备所下挂的LAN装置进行认证,从而解决了CPE设备下挂的LAN装置的合法性认证的问题,提高了整个通信系统的安全性。(the invention discloses a communication method, a communication device and a communication system. The method comprises the following steps: the CPE equipment judges whether the terminal accessed through the LAN port passes the authentication; if the terminal passes the authentication, the CPE equipment forwards interactive communication information between the terminal and the private network; and if the terminal is not authenticated, the CPE equipment authenticates the terminal by using the authentication server. According to the communication method, the device and the system, the authentication server in the LTE network is utilized to authenticate the LAN device hung under the CPE equipment accessed to the LTE network, so that the problem of legality authentication of the LAN device hung under the CPE equipment is solved, and the safety of the whole communication system is improved.)

1. A method of communication, comprising:

The CPE equipment judges whether the terminal accessed through the LAN port passes the authentication;

If the terminal passes the authentication, the CPE equipment forwards interactive communication information between the terminal and a private network;

And if the terminal is not authenticated, the CPE equipment authenticates the terminal by using an authentication server.

2. The communication method according to claim 1, wherein:

And the CPE equipment judges whether the terminal passes the authentication by utilizing the authentication server.

3. the communication method according to claim 1, wherein:

the authentication server is a RADIUS authentication server.

4. The communication method according to claim 1, wherein:

The terminal is connected to the CPE device through a LAN port, and the CPE device communicates with the private network through an LTE network.

5. The communication method according to claim 3, wherein:

the authentication protocol of the authentication is 802.1x, and the authentication mode of the authentication is a physical address MAC authentication mode.

6. The communication system of claim 4, wherein:

The authentication server is accessed to the LTE network.

7. A communications apparatus, comprising:

The authentication judging module is used for judging whether the terminal accessed through the LAN port passes the authentication;

the communication module is used for forwarding the interactive communication information between the terminal and the private network after the authentication judgment module judges that the terminal passes the authentication;

and the authentication processing module is used for authenticating the terminal by using an authentication server after the authentication judgment module judges that the terminal is not authenticated.

8. A communication system, comprising:

The system comprises a terminal, CPE equipment, an authentication server and a special network; wherein the content of the first and second substances,

The terminal accesses the CPE equipment through a LAN port, and the CPE equipment communicates with the private network through an LTE network;

the CPE equipment judges whether the terminal passes the authentication, if the terminal passes the authentication, the CPE equipment forwards interactive communication information between the terminal and a private network, and if the terminal does not pass the authentication, the CPE equipment authenticates the terminal by using an authentication server.

9. the communication system of claim 8, wherein:

the authentication server is a RADIUS authentication server.

10. the communication system of claim 8, wherein:

The authentication server is accessed to the LTE network.

Technical Field

the present invention relates to the field of communications technologies, and in particular, to a communication method, apparatus, and system for improving the validity of a terminal device that accesses an LTE network through a LAN port of a CPE device.

Background

in an LTE (Long Term Evolution) system network, a CPE (Customer Premise Equipment) as an LTE wireless terminal gateway realizes interconnection between a client network and a client server network through an LTE wireless network.

As shown in fig. 1, the conventional network architecture for accessing an enterprise PDN through an LTE network by using CPE devices is simplified. The CPE device communicates with an enterprise PDN (Public data network) network via a base station, an LTE core network, through, for example, 3G, 4G, 5G communication technology. The LAN (Local Area Network) of the CPE device can be hooked up with a variety of devices that enable information interaction with the enterprise PDN through forwarding by the CPE.

At present, when a Local Area Network (LAN) side of CPE equipment hangs down the equipment, two access modes are generally provided. One is Wi-Fi Access, in which, CPE is an AP (Wireless Access Point) which can be accessed by mobile terminals (such as mobile phones, etc.), tablet computers, notebook computers or other various Wi-Fi devices; the other is a wired access mode, which provides an Ethernet Interface (Ethernet Interface) and can be connected with devices such as a wired camera, a client wired data acquisition terminal and the like.

when the lower-hanging device accesses the CPE through Wi-Fi, the lower-hanging device can be accessed only through an authentication method (such as WEP, WPA and the like) commonly used by the Wi-Fi device, and the safety guarantee is achieved. When the drop device is connected to the CPE in a wired manner, the CPE does not authenticate the legitimacy of the drop device, and directly forwards an IP (Internet Protocol) message of the drop device to the enterprise PDN network.

in the fixed scene application of the CPE device of the private network LTE, the CPE is mostly placed outdoors. Lawbreakers can easily access their own equipment using CPE in this application scenario. However, if the LAN side of the CPE does not perform the validity authentication on the wired access device, a lawless person may attack a PDN (Public Data Network) Network of the enterprise through the LTE Network.

Disclosure of Invention

In view of this, the present invention provides a communication method, apparatus and system to improve the validity of a terminal device accessing an LTE network through a LAN port of a CPE device, thereby improving the security of the entire communication system.

The technical scheme of the application is realized as follows:

a method of communication, comprising:

the CPE equipment judges whether the terminal accessed through the LAN port passes the authentication;

If the terminal passes the authentication, the CPE equipment forwards interactive communication information between the terminal and a private network;

and if the terminal is not authenticated, the CPE equipment authenticates the terminal by using an authentication server.

Further, the CPE equipment judges whether the terminal passes the authentication by using the authentication server.

Further, the authentication server is a RADIUS authentication server.

Further, the terminal is connected to the CPE device through a LAN port, and the CPE device communicates with the private network through an LTE network.

further, the authentication protocol of the authentication is 802.1x, and the authentication mode of the authentication is a physical address MAC authentication mode.

Further, the authentication server is accessed to the LTE network.

A communication device, comprising:

The authentication judging module is used for judging whether the terminal accessed through the LAN port passes the authentication;

The communication module is used for forwarding the interactive communication information between the terminal and the private network after the authentication judgment module judges that the terminal passes the authentication;

And the authentication processing module is used for authenticating the terminal by using an authentication server after the authentication judgment module judges that the terminal is not authenticated.

A communication system, comprising:

The system comprises a terminal, CPE equipment, an authentication server and a special network; wherein the content of the first and second substances,

the terminal accesses the CPE equipment through a LAN port, and the CPE equipment communicates with the private network through an LTE network;

the CPE equipment judges whether the terminal passes the authentication, if the terminal passes the authentication, the CPE equipment forwards interactive communication information between the terminal and a private network, and if the terminal does not pass the authentication, the CPE equipment authenticates the terminal by using an authentication server.

Further, the authentication server is a RADIUS authentication server.

further, the authentication server is accessed to the LTE network.

According to the communication method, the device and the system, the authentication server in the LTE network is used for authenticating the LAN device hung under the CPE equipment accessed to the LTE network, so that the problem of legality authentication of the LAN device hung under the CPE equipment is solved, and the safety of the whole communication system is improved.

Drawings

Fig. 1 is a schematic diagram of a conventional network structure that utilizes CPE devices and accesses an enterprise PDN through an LTE network.

FIG. 2 is a flow chart of a communication method according to an embodiment of the present invention;

fig. 3 is a schematic diagram of a communication system according to an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and examples.

As shown in fig. 1, an embodiment of the present invention provides a communication method, including:

Step 1, CPE equipment judges whether a terminal accessed through a LAN port passes authentication or not;

step 2, if the terminal passes the authentication, the CPE equipment forwards the interactive communication information between the terminal and the special network;

and 3, if the terminal is not authenticated, the CPE equipment authenticates the terminal by using the authentication server.

In a specific embodiment, in step 2, the CPE device determines whether the terminal has been authenticated by using the authentication server. As a specific embodiment, the Authentication server is a RADIUS (Remote Authentication Dial in user Service) Authentication server, and the Authentication server is accessed to the LTE network. The authentication protocol of the authentication is 802.1x, and the authentication mode of the authentication is a MAC authentication mode.

In a specific embodiment, the terminal is connected to the CPE device through a LAN port, and the CPE device communicates with the private network through an LTE network.

The embodiment of the invention also provides a communication device which comprises an authentication judgment module, a communication module and an authentication processing module. The authentication judgment module is used for judging whether the terminal accessed through the LAN port passes the authentication. The communication module is used for forwarding the interactive communication information between the terminal and the private network after the authentication judgment module judges that the terminal passes the authentication. And the authentication processing module is used for authenticating the terminal by using the authentication server after the authentication judging module judges that the terminal is not authenticated.

In addition, an embodiment of the present invention further provides a communication system, as shown in fig. 3, including a terminal 1, a CPE device 2, an authentication server 3, and a private network 4. The terminal 1 accesses the CPE device 2 through a LAN port, and the CPE device 2 communicates with the private network 4 through the LTE network 5. The CPE device 2 judges whether the terminal 1 passes the authentication, if the terminal 1 passes the authentication, the CPE device 2 forwards the interactive communication information between the terminal 1 and the private network 4, if the terminal 1 does not pass the authentication, the CPE device 2 authenticates the terminal 1 by using the authentication server 3.

In a particular embodiment, the authentication server 3 is a RADIUS authentication server. The authentication server 3 is accessed to the LTE network 5.

In a particular embodiment, the LTE network 5 comprises a base station 51 and a core network 52. The private network 4 is connected to the core network 52, and the authentication server 3 is connected to the core network 52. The CPE device 2 accesses the LTE network 5 through the base station 51. The terminal 1 is connected to a computer, a camera, or the like of the CPE device 2 via a LAN, for example. The CPE device 2 may have multiple terminals 1 hanging down and each base station 51 may have access to multiple CPE devices 2.

in a specific embodiment, the CPE device 2 performs access authentication on the terminal 1 that is hung down, and the authentication protocol adopts 802.1 x. And authenticating each hung terminal 1 by adopting an MAC authentication mode.

In a specific embodiment, the CPE device 2 is connected to a RADIUS authentication server, and each terminal 1 which is hung down by the CPE device 2 must account for the RADIUS authentication server. And the CPE equipment 2 acquires the access user name and the password of the drop terminal 1 and then delivers the access user name and the password to the RADIUS authentication server for validity check.

Once the MAC validity authentication of the drop terminal 1 passes, the subsequent drop terminal 1 is allowed to forward an IP packet (CPE user plane packet).

to achieve the object of the present invention, in an embodiment, the following processing modules may be added in the linux kernel of the CPE device.

1) The equipment authentication judgment module: analyzing the source MAC address (namely the MAC address of the terminal) of the received Ethernet message, and if the source MAC address passes the authentication, performing a normal network protocol stack processing flow; and if the source MAC address is not authenticated, transferring to a device authentication processing module.

2) An equipment authentication processing module: and the terminal is responsible for the first authentication initiation of the terminal and the message receiving and sending processing of the 802.1x authentication protocol.

meanwhile, an equipment authentication processing application program is added on the user side of the CPE, and the program mainly realizes the following functions:

1) And initiating terminal authentication.

2) And the 802.1x protocol analysis and the state flow process interacted with the terminal.

3) And maintaining the terminal authentication state.

4) And communicating with the RADIUS authentication server, requesting the user name and password authentication of the terminal, and acquiring an authentication result.

According to the communication method, the device and the system, the authentication server in the LTE network is utilized to authenticate the LAN device hung under the CPE equipment accessed to the LTE network, so that the problem of legality authentication of the LAN device hung under the CPE equipment is solved, and the safety of the whole communication system is improved.

The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.