Notice of Pre-AIA  or AIA  Status

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is in response to the communication filed on 2/25/21.
All objections and rejections not set forth below have been withdrawn.
Claims 1 – 4 and 6 – 20 are pending.
Any references to applicant’s specification are made by way of applicant’s U.S. pre-grant printed patent publication.

Continued Examination Under 37 CFR 1.114

A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 2/25/21 has been entered.
 
Claim Interpretation

	The examiner notes that the applicant’s claims comprise the recited clause, “wherein the network component has not yet directly accessed the data network via the 

Claim Rejections - 35 USC § 112

	
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1 – 4 and 6 – 20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
	
Regarding claims 1 and 14, the recitation of “such network components” (e.g. claim 1, line 9; claim 14, line 6) renders the scope of the claim indefinite.  Specifically, the claims lack antecedent basis for the recitation of a plurality of “network components”.

Regarding claims 1 and 14, the recitation “…for at least such network components as satisfy one or more predetermined criteria…” is grammatically improper and thus renders the scope of the claims indefinite.  For the sake of examination, the examiner presumes the applicant to recite “…if such network components 

Regarding claims 1, 14, and 16, the recitations “…when authentication is successful, the network device grants permission … for at least such network components as satisfy one or more predetermined criteria” (e.g. claims 1, 14) and “…granting permission … when authentication is successful … if the connected network component satisfies one or more predetermined criteria…” (e.g. claim 16) render the scope of the claims indefinite.  Specifically, it is unclear as to when permission is granted.  Namely, it is unclear if permission is granted upon successful authentication, the satisfaction of a predetermined criteria, or upon the combination of both successful authentication and the satisfaction of predetermined criteria.   

Regarding claim 2, the recitation of “a field device” renders the scope of the claims indefinite.  Specifically, the examiner points out that the term “field device” has no standard meaning within the art, and the applicant’s own disclosure fails to provide a clear and concrete definition to the term.  Thus, the subject matter falling within or outside the scope of “field device” is indeterminate.  



Claim Rejections - 35 USC § 103

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1 – 4, 6, 8 – 11, and 13 – 20 are rejected under 35 U.S.C. 103 as being unpatentable over Yamada, US 2012/0054830 A1, in view of Loos, “Implementing IEEE 802.1x for Wired Networks”, in view of Bjarnason et al. (Bjarnason), US 2015/0280916 A1.

	Regarding claim 1, as best understood in view of the above noted deficiencies, Yamada discloses:
A network device (e.g. Yamada, par. 9 – relay device), comprising two interfaces for connection to an access-protected access point of a data network and to a network component (e.g. Yamada, par. 14 – herein a relay device comprises one interface for connecting with an authenticated, separate relay [i.e. “access-protected access point”] and an interface for connecting to an external device [i.e. “network component”])  wherein the network component has not yet directly accessed the data network via the access point and does not yet store authentication data for the network component to access the access point (e.g. Yamada, fig. 6; par. 14, 16, 104 – The examiner notes that, while this intended use statement directed towards a separate and distinct device of a “network component” fails to further limit the claimed apparatus of “the network device”, and thus fails to distinguish the claims over the prior art, the examiner points out, for the applicant’s benefit, that the prior art external devices (i.e. “network components”) are permitted to directly connect, via wired or wireless means, to any of the access points 100 or 100x). 
The examiner points out that this wherein clause does not further limit the claimed “network device”, but is rather only an intended use statement directed to “a network component”, and furthermore, the “network component” itself is not within the limiting scope of the claim (i.e. the network component is not part of the claimed network device).  However, solely for the applicant’s benefit, the examiner notes that Yamada teaches that mobile devices or components comprise wired means for directly connecting to a relay switch or “access point” before the mobile device stores any information for authentication, and furthermore, nowhere does Yamada disclose that the mobile device or “network component” is required to “directly access the data network via the access point” and “store authentication data for the network component to access the access point” - e.g. Yamada, par. 12, 14, 50, 81; fig. 11:pc60).  Furthermore, the examiner notes that assuming arguendo, that the recitations directed towards the “network component” were to limit the claimed “network device”, and that Yamada’s silence regarding the network component’s storing of authentication data before direct access was to be interpreted as insufficient for anticipation, the examiner notes that Loos discloses that, within the 802.1x protocol, clients or “network components” may lack the appropriate authentication data (e.g. “certificate”) for 802.1x authentication before they directly access an access point, and they may be required to be limited to a restricted VLAN before they may obtain the appropriate credentials for access (e.g. Loos, sect. 2.7). 
It would have been obvious to one or ordinary skill in the art to apply the teachings of Loos, for limiting a client device to a restricted VLAN for subsequent obtainment of an appropriate certificate, within the system of Yamada, because one of ordinary skill in the art would have been motivated by the teachings of Yamada to apply 802.1x authentication before allowing access to an access point (e.g. Yamada, par. 20, 52, 76).
Thus, the combination enables:
wherein the network device is configured such that it authenticates itself at the access point using authentication data for the network device when the access point is connected and the network component is connected (e.g. Yamada, par. 14 – herein, the relay and the separate relay are mutually authenticated, and the external device is connected to the relay)  and, when authentication is successful, the network device grants permission for the connected network component to access the data network via the access point for at least such network components as satisfy one or more predetermined criteria (e.g. Yamada, par. 14, 16 – herein, the relay authenticates the external device [i.e. the satisfaction of one or more predetermined criteria] and the frames of the external device are permitted to be passed from the relay to the separate relay]. 
wherein the network device is configured such that it permits limited access by the connected network component to the data network (e.g. Yamada, par. 14, 16; Loos, sect. 2.7 – herein, the network component or client is limited to a restricted VLAN of the network), and wherein the limited access is restricted to only requesting or obtaining of the authentication data for the network component to access the access point …  (e.g. Loos, sect. 2.7).
The combination of Yamada and Loos discloses using 802.1x authentication for limiting a client to a restricted VLAN for obtaining an appropriate certificate for accessing the network.  However, the combination does not explicitly teach that the certificate is obtained from a “registration server”.  
However, Bjarnason also discloses a system employing 802.1x authentication for connecting new devices to a VLAN for access to a network (e.g. Bjarnason, par. 25, 27).  Furthermore, Bjarnason discloses that the access is first limited and restricted obtaining authentication data or certificate from a “registration server” (e.g. Bjarnason, par. 46).
	It would have been obvious to one of ordinary skill in the art to employ the limited access features of Bjarnason within the combination of Yamada and Loos.  This would 
	Thus, the combination enables:
…from a registration server (e.g. Bjarnason, par. 46, 48, 50, 88, 95, 96).

Regarding claim 2, the combination enables:
	wherein the interfaces of the network device set up for connection to an access point of a data network in the form of a communication network of an automation system (e.g. Yamada, par. 5, 10 – herein, the relay device is utilized within a computerized network or “automation system”) and for connection to a network component in the form of a device to be integrated in the automation system, wherein said device is in the form of a field device (e.g. Yamada, par. 47; fig. 1 – herein, the network component is deployed within the network or “field”, thus it is a “field” device). 

Regarding claim 3, the combination enables:
wherein the network device is set up for communication with a Layer-2 access point (e.g. Yamada, par. 46), the network device being configured such that it authenticates itself at the access point based on the IEEE 802.1X standard (e.g. Yamada, par. 52). 

Regarding claim 4, the combination enables:
wherein the requested or obtained authentication data for the network component to access the access point is sent to the network component from the registration server (e.g. Bjarnason, par. 48, 50). 

Regarding claim 6, the combination enables:
wherein the network device is configured such that the limited access is achieved by at least one of filtering of data traffic in the network device and the tunneling of data traffic in the network device (e.g. Yamada, par. 59, 110 – herein both frame filtering and tunneling are employed). 

Regarding claim 8, the combination enables:
wherein the authentication data for the network device are stored on the network device when the latter is started up, or the network device generates the authentication data for the network device data using identification data of the connected network component (e.g. Yamada, par. 49, 51, 52 – herein, the network device, when running or operating, stores authentication data). 

Regarding claim 9, the combination enables:
wherein the network device stores information that stipulates the connected network components for which the network device permits the access to the data network via the access point (e.g. Yamada, par. 49 – herein, the network device stores addressing information for determining which external devices may communication within the network). 

Regarding claim 10, Yamada fails to explicitly disclose preventing the following claim recitations, Yamada therefore discloses:
wherein the network device permits access to the data network for such network components as successfully authenticate themselves to the network device by authentication information, the authentication information comprising a second digital certificate wherein said second digital certificate is a certificate from the manufacturer of the connected network component. 

Regarding claim 11, the combination enables:
wherein the network device comprises an interface for authenticating a user, wherein one or more predetermined actions that are performable by the network device automatically or when initiated by the user are permitted only on successful authentication of the user via the interface, the predetermined action(s) comprising the activation of the network device for authentication at a connected access point and for permitting a connected network component to access at least one of the data network and the configuration of the network device by the user (e.g. Yamada, par. 52, 108-112,  – herein the network device provides means (i.e. interface) for authenticating an external device used by a user [i.e. “user”]).   

Regarding claim 13, the combination enables:
wherein the network device comprises an interface for at least one of manually inputting and for reading in identification data from network components, the network device permitting access to the data network only for network components having at least one of identification data input and read in via the interface (e.g. Yamada, par. 50-52 – herein, the network device comprises means [i.e. an interface] for reading authentication [i.e. “identification”] data from external devices). 

Regarding claim 14, as best determined in view of the above noted 112 deficiencies of clarity, it is a method claim essentially corresponding to the above claims, and it is rejected, at least for the same reasons.  

Regarding claim 15, the combination enables:
wherein the access point checks the authentication data for the network device by communicating with an authentication server that stores rules for successful authentication (e.g. Yamada, fig. 2:220, 420 – herein, the relay device comprises an authentication server [i.e. “server”] that stores access rules, which is checked for the purpose of determining whether an external device is authenticated).

Regarding claim 16, it is a method claims essentially corresponding to the claims above, and it is rejected, at least, for the same reasons.  Furthermore, the combination enables:
providing a network device, the network device comprising a first interface for connection to an access-protected access point of a data network and a second interface for connection to a network component, wherein the network component is has not yet directly accessed the data network via the access-protected access point and does not yet store authentication data for the network component to access the access point (e.g. Yamada, fig. 6; par. 14, 16, 104 – The examiner notes that, while this intended use statement directed towards a separate and distinct device of a “network component” fails to further limit the claimed apparatus of “the network device”, and thus fails to distinguish the claims over the prior art, the examiner points out, for the applicant’s benefit, that the prior art external devices (i.e. “network components”) are permitted to directly connect, via wired or wireless means, to any of the access points 100 or 100x). 
The examiner points out that this wherein clause does not further limit the claimed “network device”, but is rather only an intended use statement directed to “a network component”, and furthermore, the “network component” itself is not within the limiting scope of the claim (i.e. the network component is not part of the claimed network device).  However, solely for the applicant’s benefit, the examiner notes that Yamada teaches that mobile devices or components comprise wired means for directly connecting to a relay switch or “access point” before the mobile device stores any information for authentication, and furthermore, nowhere does Yamada disclose that the mobile device or “network component” is required to “directly access the data network via the access point” and “store authentication data for the network component to access the access point” - e.g. Yamada, par. 12, 14, 50, 81; fig. 11:pc60).  Furthermore, the examiner notes that assuming arguendo, that the recitations directed towards the “network component” were to limit the claimed “network device”, and that Yamada’s silence regarding the network component’s storing of authentication data before direct access was to be interpreted as insufficient for anticipation, the examiner notes that 
It would have been obvious to one or ordinary skill in the art to apply the teachings of Loos, for limiting a client device to a restricted VLAN for subsequent obtainment of an appropriate certificate, within the system of Yamada, because one of ordinary skill in the art would have been motivated by the teachings of Yamada to apply 802.1x authentication before allowing access to an access point (e.g. Yamada, par. 20, 52, 76).
Thus, the combination enables:
authenticating, by the network device, at the access-protected access point using authentication data for the network device when the access-protected access point is connected and the network component is connected (e.g. Yamada, par. 14 – herein, the relay and the separate relay are mutually authenticated, and the external device is connected to the relay),
granting permission, by the network device when authentication is successful, for the connected network component to access the data network via the access-protected access point if the connected network component satisfies one or more predetermined criteria (e.g. Yamada, par. 14, 16 – herein, the relay authenticates the external device [i.e. the satisfaction of one or more predetermined criteria] and the frames of the external device are permitted to be passed from the relay to the separate relay]). 
and providing limited access, by the network device, to the data network by the connected network component, wherein the limited access is restricted to requesting or obtaining authentication data for the network component to access the access-protected access point (e.g. Yamada, par. 14, 16; Loos, sect. 2.7) from a registration server (e.g. Yamada, par. 14, 16; Bjarnason, par. 43, 46, 48, 50, 88).

Regarding claim 17, the combination enables:
disconnecting the network device after the requested or obtained authentication data for the network component to access the access-protected access point is obtained by the connected network component (e.g. par. 46, 76 86, 96).  Once a wireless network component or joining device is authenticated or “trusted”, it may leave the network (e.g. reboot- i.e. disconnect) or join the network again without connecting (i.e. disconnect from) to the existing relay or proxy (i.e. network device).

Regarding claim 18, the combination enables:
connecting to the access-protected access point, by the network component directly, and authenticating on the data network, by the network component directly, using the obtained authentication data for the network component to access the access-protected access point (e.g. Bjarnason, par. 43 – relays or intermediary devices can be by passed by a joining device).

Regarding claim 19, the combination enables:
wherein the network component connects and authenticates without the network device being connected (e.g. Bjarnason, par. 43 – relays or intermediary devices can be by passed by a joining device – i.e. without connecting to the relay).

Regarding claim 20, the combination enables:
wherein each of the two interfaces comprises at least one of a plug and a socket (e.g. Yamada, fig. 6; par. 14, 48, 50 – herein the relay comprises two interfaces comprising ports with connection openings, i.e. sockets, for receiving cables from an external computer and a relay device).  


Claim 7 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Yamada, US 2012/0054830 A1, in view of Loos, “Implementing IEEE 802.1x for Wired Networks”, in view of Bjarnason et al. (Bjarnason), US 2015/0280916 A1, in view of Upp, US 2008/0108322 A1.

	Regarding claim 7, Yamada discloses employing EAP authentication (e.g. Yamada, par. 52), however does not appear to explicitly state that such authentication comprises using a digital certificate of an “operator” of the network.
	However, Upp discloses that EAP authentication comprises the provision of a digital certificate, wherein the authentication data for the network device that the network device uses to authenticate itself comprise a first digital certificate, the first digital certificate being a certificate of the operator of the data network (e.g. Upp, par. 2, 22, 23, 32 – 34).  Herein, the authenticating device within the EAP protocol provides a 
	It would have been obvious to one of ordinary skill in the art to employ the teachings of Upp within Yamada, because one of ordinary skill in the art would have been motivated by the teachings of Yamada to utilize the EAP protocol (e.g. Yamada, par. 52).

Regarding claim 12, Yamada discloses employing authenticating a user device (e.g. Yamada, par. 52), however does not appear to explicitly state that such authentication comprises an interface using a keypad, biometric reader, chip card reader, or mechanical key switch.  
	However, Upp also discloses authenticating a user device, wherein the interface for authenticating a user comprises at least one of a keypad and a reader for biometric data and a reader for chip cards and a mechanical key switch (e.g. Upp, par. 20, 26, claim 9).  Herein, the authenticating device comprises means for reading biometric authentication of the user, including via a chip card).
	It would have been obvious to one of ordinary skill in the art to employ the teachings of Upp within Yamada, because one of ordinary skill in the art would have been motivated by the teachings of Upp that network operators desire to utilize such means for allowing users to access their networks (e.g. Upp, par. 2).  

Response to Arguments

9/9/20 have been fully considered but they are not persuasive.

Applicant argues or alleges essentially that:
…
Initially, Applicant respectfully notes the cited reference to Yamada is not directed to a similar device or method as Applicant’s claims and does not provide similar benefits. Applicant’s claimed embodiments provide the advantage of …
…
Yamada does not teach any of these limitations or benefits. Instead, Yamada is directed to managing frame relays between already authenticated components. For example, …
…
Thus, even when broadly reviewed, the cited portions of Yamada do not teach or suggest a network device according to Applicant’s claimed embodiments and do not provide any of the benefits associated with Applicant’s claims.
…
…
(Remarks, pg. 11-13)



Examiner respectfully responds:
Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.


Applicant argues or alleges essentially that:
…
Turning more directly to the recited claim limitations, …
…
The combination fails to teach or suggest a network device, comprising two interfaces for connection to an access-protected access point of a data network and to a network component, wherein the network component has not yet directly accessed the data network via the access point and does not yet store authentication data for the network component to access the access point. …
…
While the Examiner noted that the previously presented claim only included intended use language, the currently amended claim positively recites the nature/structure of the network component and ties the network devices operation to this nature/structure of the network component. Thus, these limitations should be given patentable weight.

… However, Yamada does not contemplate that the network component (external device) has not yet directly accessed the data network …   … No direct access by the external device is contemplated or intended. 
…
(Remarks, pg. 13 - 15)

Examiner respectfully responds:
The examiner notes that the applicant’s arguments are not persuasive, at least, for the reason that recitations directed towards a “network component” fail to limit the function or structure of the claimed “network device”.


Applicant argues or alleges essentially that:
…
… The cited combination also fails to teach or suggest the limitation wherein the network device is configured such that it permits limited access by the connected network component to the data network, and wherein the limited access is restricted to requesting or obtaining the authentication data for the network component to access the access point from a registration server. Again, …
…
(Remarks, pg. 15, 16)

Examiner respectfully responds:
Applicant’s argument is unpersuasive, at least, because the newly cited grounds of rejection clearly shows that 802.1x authentication stipulates the limiting of a client device to a restricted VLAN (i.e. “limited access”) for obtaining a valid certificate (e.g. Loos, sect. 2.7) from a registration server (e.g. Bjarnason, par. 95, 96).  


Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
See Notice of References Cited.	

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JEFFERY L WILLIAMS whose telephone number is (571)272-7965.  The examiner can normally be reached on 7:30 am - 4:00 pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/JEFFERY L WILLIAMS/Primary Examiner, Art Unit 2495