DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
This action is in response to the communications and remarks filed on 2/26/2021. Claims 1-3 and 5-21 are presently pending for examination.

Response to Arguments
Applicant’s arguments, see pages 8-13, filed 2/26/2021, regarding the U.S.C. 102 rejections of Claims 1-3 and 5-21 have been fully considered and are not persuasive.  Applicant argues that "Yuan is completely silent to the network controller being implemented as a wireless access point. Consequently, Applicant submits that the network controller, as disclosed by Yuan, differs from the claimed 'authenticator' which functions as a 'wireless access point.'"
Applicant’s interpretation of the reference has been noted; however, examiner respectfully disagrees.  Yuan teaches and the authenticator comprises a wireless access point that serves as a point of connection for the client device accessing the network; [paragraph 0011, The network controllers 103.sub.1 and 103.sub.2 may be connected to the client devices 101.sub.1-101.sub.5 through respective wired and/or wireless connections – the “network controller” is the “authenticator” which can be wired 
Applicant's arguments, see pages 8-13, filed 2/26/2021, regarding the 102 rejections of Claims 1-3 and 5-21, have been fully considered and are persuasive. Specifically, the argument stating, "Yuan fails to explicitly disclose whether the network controller employs a "secure channel" in order for the credentials to be "downloaded from the authentication server," in the same manner as the present claims...Yuan's disclosed operation may be susceptible to interception (and other security related complications) of the credentials while being passed to the network controller to be locally stored” is persuasive.  However, a new ground of rejection has been made in view of Strand et al., (US 20150248553 A1).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1-3 and 5-21 are rejected under 35 U.S.C. 103 as being unpatentable over Yuan et al., (US 20160226848 A1) hereinafter referred to as Yuan in view of Strand et al., (US 20150248553 A1) hereinafter referred to as Strand.
Regarding Claims 1, 10, and 16, Yuan discloses A method, comprising performing authentication of a client device requesting to access a network; [paragraph 0003, The authentication procedure may involve client devices seeking approval from an external RADIUS server to operate within the network system] 
transmitting a connection response from an authentication server to an authenticator, [paragraph 0031, the method 300 may commence at operation 301 with the determination as to whether the external RADIUS server 109.sub.1 is accessible or inaccessible. Accessibility may be defined as the external RADIUS server 109.sub.1 receiving and responding to messages from the network controller 103.sub.1 and/or the client device 101.sub.1] 
wherein credentials of the authenticated client device are downloaded from the authentication server to the authenticator…in response to the connection response; [paragraph 0035, upon receiving an authentication success message for the client device 101.sub.1, the method 300 may move to operation 309. At operation 309, the credentials of the client device 101.sub.1 may be stored locally on the network controller 103.sub.1 or at a different location within the local network of the branch office 105.sub.1] 
and the authenticator comprises a wireless access point that serves as a point of connection for the client device accessing the network; [paragraph 0011, The network controllers 103.sub.1 and 103.sub.2 may be connected to the client devices 101.sub.1-101.sub.5 through respective wired and/or wireless connections – the “network controller” is the “authenticator” which can be wired or wireless and thus would be a “wireless access point”] 
transmitting, by the authenticator, a re-authentication request for the client device to the authentication server during a re-authentication period; [paragraph 0026 and Figure 3, The network controllers 103.sub.1 and 103.sub.2 may store these RADIUS attributes for use during subsequent authentication/re-authentication procedures when the external RADIUS servers 109.sub.1 and 109.sub.2 are inaccessible – teaches a “subsequent…re-authentication” which indicates a re-authentication request during a re-authentication period] 
determining, during the re-authentication period, whether the authentication server is available based on the re-authentication period; [Figure 3, Element 301, teaches first checking to see if the “External Radius Server Accessible” which then branches to either using the External Server for authentication/re-authentication or using locally stored credentials for authentication/re-authentication] 
in response to determining that the authentication server is unavailable based on not receiving a reply to the re-authentication request from the authentication server, [paragraph 0031 and Figure 3, operation 301 may determine that the external RADIUS server 109.sub.1 is inaccessible after the network controller 103.sub.1 has transmitted one or more authentication request messages to the external RADIUS server 109.sub.1 on behalf of the client device 101.sub.1. For example, after the network controller 103.sub.1 has failed to receive an acknowledgement or response to an authentication request message after a predefined period of time and/or after a predefined number of retries, operation 301 may determine that the external RADIUS server 109.sub.1 is inaccessible] 
performing, by the authenticator, re-authentication during the re-authentication period using the downloaded credentials; [paragraph 0044 and Figure 3, upon determining that the RADIUS server 109.sub.1 is inaccessible the internal RADIUS server 209 of the network controller 103.sub.1 may perform authentication of the client device 101.sub.1 within the network system 100] [paragraph 0047, Upon detection of locally stored RADIUS key-reply attributes for the client device 101.sub.1, operation 327 may generate an authentication success message with the locally stored RADIUS key-reply attributes] 
and in response to the determining that the authentication server is available based on receiving a reply to the re-authentication request from the authentication server, [paragraph 0031 and Figure 3, Conversely, upon receiving a response from the external RADIUS server 109.sub.1 (e.g., an acknowledgment message, an authentication success message, or an authentication failure message), operation 301 may determine that the external RADIUS server 109.sub.1 is accessible] 
transmitting a connection response to the client device based on the re-authentication as performed by the authentication server using new credentials received by the client device in an identity response during the re-authentication period. [paragraph 0032 and Figure 3, Upon determining that the external RADIUS server 109.sub.1 is accessible at operation 301… The authentication request message may include credentials for the client device 101.sub.1 (e.g., a user name and password for a user of the client device 101.sub.1). In response to receipt of this authentication request message, the external RADIUS server 109.sub.1 may determine whether the client device 101.sub.1 is authorized to access the network system 100. For example, the external RADIUS server 109.sub.1 may compare the credentials received in the authentication request message with a set of authorized credentials. In response to locating a match between the credentials of the client device 101.sub.1 and a set of authorized credentials, the external RADIUS server 109.sub.1 may generate and transmit an authentication success message to the network controller 103.sub.1]
Yuan does not explicitly teach via a secure channel.
Strand teaches via a secure channel [Abstract, for provisioning account credentials via a trusted channel] 
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Strand with the disclosure of Yuan. The motivation or suggestion would have been to “provide an automated approach to registering and/or authenticating multiple accounts for a device that is considered trusted.” (paragraph 0013)
Regarding Claim 2, Yuan discloses wherein authentication is performed according to the IEEE 802.1X standard. [paragraph 0018, The I/O interface 205 may include a wired network interface such as an IEEE 802.3 Ethernet interface and/or a wireless interface such as an IEEE 802.11 WiFi interface]
Regarding Claim 3, Yuan discloses further comprising: transmitting an access request from the client device to the authenticator; and transmitting a corresponding access request using an access request protocol from the authenticator to the authentication server in response to the access request from the client, wherein the access request protocol comprises a remote authentication dial-in user service (RADIUS) protocol. [paragraph 0003, The authentication procedure may involve client devices seeking approval from an external RADIUS server to operate within the network system]
Regarding Claim 5, Yuan discloses wherein it is determined that the authentication server is available when the reply is received from the authentication server in response to the re-authentication request; [paragraph 0031 and Figure 3, Conversely, upon receiving a response from the external RADIUS server 109.sub.1 (e.g., an acknowledgment message, an authentication success message, or an authentication failure message), operation 301 may determine that the external RADIUS server 109.sub.1 is accessible] 
and wherein it is determined that the authentication server is unavailable when the reply is not received from the authentication server. 0031 and Figure 3, operation 301 may determine that the external RADIUS server 109.sub.1 is inaccessible after the network controller 103.sub.1 has transmitted one or more authentication request messages to the external RADIUS server 109.sub.1 on behalf of the client device 101.sub.1. For example, after the network controller 103.sub.1 has failed to receive an acknowledgement or response to an authentication request message after a predefined period of time and/or after a predefined number of retries, operation 301 may determine that the external RADIUS server 109.sub.1 is inaccessible]
Regarding Claims 6, 12, 15, and 20, Yuan discloses further comprising performing the re-authentication at the authentication server in response to the reply being received. [paragraph 0032 and Figure 3, Upon determining that the external RADIUS server 109.sub.1 is accessible at operation 301… The authentication request message may include credentials for the client device 101.sub.1 (e.g., a user name and password for a user of the client device 101.sub.1). In response to receipt of this authentication request message, the external RADIUS server 109.sub.1 may determine whether the client device 101.sub.1 is authorized to access the network system 100. For example, the external RADIUS server 109.sub.1 may compare the credentials received in the authentication request message with a set of authorized credentials. In response to locating a match between the credentials of the client device 101.sub.1 and a set of authorized credentials, the external RADIUS server 109.sub.1 may generate and transmit an authentication success message to the network controller 103.sub.1]
Regarding Claims 7, 13, and 18, Yuan discloses further comprising: transmitting the re-authentication request for the client device from the authenticator to the client device; [paragraph 0026 and Figure 3, The network controllers 103.sub.1 and 103.sub.2 may store these RADIUS attributes for use during subsequent authentication/re-authentication procedures when the external RADIUS servers 109.sub.1 and 109.sub.2 are inaccessible – teaches a “subsequent…re-authentication” which indicates a re-authentication request during a re-authentication period] 
transmitting an identity response that includes the new credentials from the client device to the authenticator in response to the re-authentication request; [paragraph 0032, The authentication request message may include credentials for the client device 101.sub.1 (e.g., a user name and password for a user of the client device 101.sub.1)] 
translating, at the authenticator, the re-authentication request to conform to an access protocol utilized between the authenticator and the authentication server; and transmitting the translated re-authentication request and the credentials from the authenticator to the authentication server, [paragraph 0038, In response to determining at operation 311 that no RADIUS attributes were received from the external RADIUS server 109.sub.1, the method 300 may move to operation 313. At operation 313, the client device 101.sub.1 may be assigned a default role and/or VLAN in the network system 100. For example, the default role and/or VLAN may restrict the client device 101.sub.1 to a small segment of network resources (e.g., only access to the World Wide Web) – the “default role” determines the “access protocol” available to the client device] 
wherein the access request protocol comprises a remote authentication dial-in user service (RADIUS) protocol. [paragraph 0031, the method 300 may commence at operation 301 with the determination as to whether the external RADIUS server 109.sub.1 is accessible or inaccessible. Accessibility may be defined as the external RADIUS server 109.sub.1 receiving and responding to messages from the network controller 103.sub.1 and/or the client device 101.sub.1]
Regarding Claims 8, 14, and 19, Yuan discloses further comprising; determining whether a reply to the translated re-authentication request is received from the authentication server in response to the translated re-authentication request; [paragraph 0031 and Figure 3, Conversely, upon receiving a response from the external RADIUS server 109.sub.1 (e.g., an acknowledgment message, an authentication success message, or an authentication failure message), operation 301 may determine that the external RADIUS server 109.sub.1 is accessible] 
and performing the re-authentication using the downloaded credentials in response to the reply not being received. [paragraph 0044 and Figure 3, upon determining that the RADIUS server 109.sub.1 is inaccessible the internal RADIUS server 209 of the network controller 103.sub.1 may perform authentication of the client device 101.sub.1 within the network system 100] [paragraph 0047, Upon detection of locally stored RADIUS key-reply attributes for the client device 101.sub.1, operation 327 may generate an authentication success message with the locally stored RADIUS key-reply attributes]
Regarding Claim 9, Yuan discloses comprising performing the re-authentication at the authentication server based on the identity response that includes the new credentials from the client device in response to the reply being received. [paragraph 0032 and Figure 3, Upon determining that the external RADIUS server 109.sub.1 is accessible at operation 301… The authentication request message may include credentials for the client device 101.sub.1 (e.g., a user name and password for a user of the client device 101.sub.1). In response to receipt of this authentication request message, the external RADIUS server 109.sub.1 may determine whether the client device 101.sub.1 is authorized to access the network system 100. For example, the external RADIUS server 109.sub.1 may compare the credentials received in the authentication request message with a set of authorized credentials. In response to locating a match between the credentials of the client device 101.sub.1 and a set of authorized credentials, the external RADIUS server 109.sub.1 may generate and transmit an authentication success message to the network controller 103.sub.1]
Regarding Claim 11, Yuan discloses wherein the authenticator is to: transmit a re-authentication request for the client device to the authentication server; determine whether the reply is received from the authentication server in response to the re-authentication request; 0031 and Figure 3, operation 301 may determine that the external RADIUS server 109.sub.1 is inaccessible after the network controller 103.sub.1 has transmitted one or more authentication request messages to the external RADIUS server 109.sub.1 on behalf of the client device 101.sub.1. For example, after the network controller 103.sub.1 has failed to receive an acknowledgement or response to an authentication request message after a predefined period of time and/or after a predefined number of retries, operation 301 may determine that the external RADIUS server 109.sub.1 is inaccessible] 
and perform the re-authentication using the downloaded credentials in response to the reply not being received. [paragraph 0044 and Figure 3, upon determining that the RADIUS server 109.sub.1 is inaccessible the internal RADIUS server 209 of the network controller 103.sub.1 may perform authentication of the client device 101.sub.1 within the network system 100] [paragraph 0047, Upon detection of locally stored RADIUS key-reply attributes for the client device 101.sub.1, operation 327 may generate an authentication success message with the locally stored RADIUS key-reply attributes]
Regarding Claim 17, Yuan discloses wherein the reply not being received indicates that the authentication server is unavailable. [paragraph 0031 and Figure 3, operation 301 may determine that the external RADIUS server 109.sub.1 is inaccessible after the network controller 103.sub.1 has transmitted one or more authentication request messages to the external RADIUS server 109.sub.1 on behalf of the client device 101.sub.1. For example, after the network controller 103.sub.1 has failed to receive an acknowledgement or response to an authentication request message after a predefined period of time and/or after a predefined number of retries, operation 301 may determine that the external RADIUS server 109.sub.1 is inaccessible]
Regarding Claim 21, Yuan discloses wherein the…channel comprises Hypertext Transfer Protocol Secure (HTTPS) or remote authentication dial-in user service (RADIUS) over Internet Protocol Security (IPsec) [paragraph 0026 and Figure 3, The network controllers 103.sub.1 and 103.sub.2 may store these RADIUS attributes for use during subsequent authentication/re-authentication procedures when the external RADIUS servers 109.sub.1 and 109.sub.2 are inaccessible – teaches a “subsequent…re-authentication” which indicates a re-authentication request during a re-authentication period]
Yuan does not explicitly teach the secure channel.
Strand teaches the secure channel [Abstract, for provisioning account credentials via a trusted channel] 
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Strand with the disclosure of Yuan. The motivation or suggestion would have been to “provide an automated approach to registering and/or authenticating multiple accounts for a device that is considered trusted.” (paragraph 0013)

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Applicants are encouraged to take advantage of the After Final Consideration Pilot 2.0 (AFCP 2.0) which authorizes non-production time for consideration of responses filed after a final rejection. The purpose of the pilot is to compact prosecution of the case. The request must include  1) A signed AFCP request form (PTO/SB/434 or equivalent) that includes a statement that applicant is requesting consideration under the AFCP;  2) An amendment to at least one independent claim that does not broaden the scope of the independent claim in any aspect; and 3) A statement that applicant is willing and available to participate in any interview initiated by the examiner concerning the present response.  In the limited amount of non-production time if the examiner’s consideration of a proper AFCP 2.0 request and response does not result in a determination that all pending claims are in condition for allowance, the examiner will request an interview with the applicant to discuss the response. For more info, please visit http://www.uspto.gov/patent/initiatives/after-final-consideration-pilot-20
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANDREW J STEINLE whose telephone number is (571)272-9923.  The examiner can normally be reached on M-F 10am-6pm CT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on (571) 272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/ANDREW J STEINLE/Primary Examiner, Art Unit 2497