DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the Amendment filed on 01/28/2021.
In the instant Amendment, claims 7, 13-14, and 20 have been amended; no claims were cancelled; and claims 1, 8, and 14 are independent claims. Claims 1-20 have been examined and are pending.  This Action is made Final.
Response to Arguments
The non-statutory obviousness type double patenting rejection to claims 1-20 is withdrawn as a terminal disclaimer has been filed and approved.
The interpretation of claims 7, 13-14, and 20 is withdrawn as the claims have been amended.
Applicants’ arguments in the instant Amendment, filed on 01/28/2021, with respect to limitations listed below, have been fully considered but they are not persuasive.
Applicant’s arguments with regards to claim 14: “It is submitted that the cited reference does not teach the claim 14 feature of “upon connection of a computing device to a network, prevent the computing device from accessing any resources of the network except a network access control device.” (emphasis added). The Office action cites to paragraph [0077] of Burch in support of its rejection. However, paragraph [0077] of Burch teaches operations that are performed “after policy information 330 is obtained.” Accordingly, the cited operations of Burch are not performed upon a connection of its computing device to a network.” 
The Examiner disagrees with the Applicants. The Examiner respectfully submits that Burch does teach ‘upon connection of a computing device to a network, prevent the computing device from accessing any resources of the network except a network access control device’.  Paragraph [0076] of Burch describes a user issuing an HTTP GET request on a browser running on a computer, to access an application server via “upon connection of a computing device to a network.” Paragraph [0076] of Burch further teaches the request being routed to a reverse proxy where policy information is accessed.  Paragraph [0077] of Burch goes on to describe how the reverse proxy may determine that the user is first required to authenticate its identity before accessing the application server resource. According to paragraphs [0077]-[0078] of Burch, the reverse proxy may determine that authentication of the user identity is necessary before providing access to the application servers and the reverse proxy can redirect the user to the identity service to perform the required authentication.  After successfully authenticating the user with credentials and user identifiers, the identity service may redirect the user back to the reverse proxy.  Under the broadest reasonable interpretation, intercepting the user request at a reverse proxy, redirecting the user to an identity service, and requiring user authentication prior to providing access to the application server resources teaches the claim limitation of “prevent the computing device from accessing any resources of the network except a network access control device.”
Applicant’s arguments with regards to claim 1: “Wei does not teach the authentication of an endpoint device as a corporate device. The Office action also cites to paragraph [0050] of Wei which refers “corporate polices.” However, this reference to “corporate” is in regards to whether mobile device 19 is compliant with corporate policies. To the contrary, it is submitted that mobile device is not a corporate device and, thus, why VPN gateway 12 undergoes a determination of whether the mobile device 19 is compliant with corporate policies. If mobile device 12 were a corporate device, there would be no need for VPN gateway 12 to perform such a determination.”
The Examiner disagrees with the Applicants. The Examiner respectfully submits that Wei does teach ‘validate a client certificate corresponding to the endpoint device to authenticate the endpoint device as a corporate device.’  Paragraph [0007] of Wei describes a client side application that provides user authentication for secure enterprise connectivity and that the multi-service client allows enterprise and service provider IT staff to reduce the number of software agents required and installed on employee devices, thus minimizing potential software conflicts and reducing ‘validate a client certificate corresponding to the endpoint device to authenticate the endpoint device as a corporate device.’
Applicant’s arguments with regard to claim 8: “It appears that the Office action is alleging that the profile settings of Burch are access permissions. Applicant respectfully disagrees and submits that the profile settings of Burch contain information about the user, such as profile name. It would be readily appreciated by one of ordinary skill in the art that the entry of information such as a profile name is not the setting of an access permission as recited by claim 8.”
The Examiner disagrees with the Applicants. The Examiner respectfully submits that Wei does teach ‘setting access permissions for the client device to restrict access to resources of the network.’  Figure 7A and paragraph [0066] of Wei illustrates and describes how the user may select a user profile, such as Test Profile and Corporate Profile, or create a new user profile.  Paragraph [0070] of Wei further teaches how an administrator may further configure specified roles or levels of trust for a user that connects to an enterprise policy when accessing the secure VPN gateway.  Access to the network is restricted based on roles and trust levels that are associated with a user profile. Under the broadest reasonable interpretation, a user selecting a corporate profile that includes admin specified roles or levels of trust that are applied through an enterprise policy teaches the limitation of “setting access permissions for the client device to restrict access to resources of the network.”       

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.
	
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claim(s) 14 is rejected under 35 U.S.C. 102(a)(1) and 102(a)(2) as being anticipated by Burch et al. (EP 1841174; Hereinafter “Burch”).
Regarding claim 14, Burch teaches a non-transitory computer readable storage medium storing instructions, which when executed, cause a processing device to: 
upon connection of a computing device to a network (Burch: Para. [0076], Responsive actions performed by user 305, WWW browser may issue an HTTP GET request directed to application servers 340 via Internet communications channel 320. This message may be routed to the reverse proxy 325 which, due to the configuration of firewall 310, may accept the request. Responsive to the receipt of the request, the reverse proxy 325 may access policy information 330.), prevent the computing device from accessing any resources of the network except a network access control device (Burch: Para. [0077], After the policy information 330 is obtained, the reverse proxy 325 may determine that user 305 (first principal) is required to authenticate its identity before accessing application servers 340 (second principals). Para. [0078], The reverse proxy 325 may redirect user 305 to the identity service 360 to perform the required authentication using Internet communication channel 355. The interaction of user 305 with the identity service 360 is described in detail in conjunction with FIG. 2 and FIG. 4, discussed below. During the authentication process, user 305 may be required to produce a first set of credentials along with secondary identifiers 365. [under the BRI, reverse proxy requiring redirect to authenticate meets prevent the computing device from accessing any network resources except a network access control device limitation]); 
establish a connection between the network access control device and the computing device (Burch: Para. [0079], Upon receipt of the redirected request, the reverse proxy 325 may identify authentication information embedded within it. This information could include a token identifying an authentication credential 375 encoded within the URL as in the Liberty and SAML specifications. Alternatively, the request itself may include an authentication credential 375 as an HTTP POST parameter. There are a number of ways authentication information may be included in the redirected request. The embodiments of the invention should not be read as limited to any particular technique. [connection is established via HTTP request]); 
determine, by the processing device, whether the computing device is an authorized computing device (Burch: Para. [0079], Para. [0018], Some of these techniques include Public Key Infrastructure (PKI) techniques including public-private key pairs, digital certificates. Para. [0043], Para. [0061], For example, rather than a password, the first credentials may include a PKI key/certificate pair. Para. [0042], For example, an authentication service, which implements the Liberty or SAML specification, may encode a token within the redirected request’s Uniform Resource Locator (URL). Para. [0042], In such a scenario, the processing, at 150, may open a secure communication link to the authentication service and issue a request for the authentication credential, which is associated with the token. The authentication service may then respond to the request by providing the credential associated with the token. Thus, at 150, the front-end service obtains the authentication credential. Para. [0067]-[0068], Para. [0079]); and 
when the computing device is an authorized computing device, allow the computing device to access additional resources of the network (Burch: Para. [0082], After successfully authenticating the session of user 305, a request for the resource may be issued to the application servers 340 (second principals).).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claim(s) 1, 3-4, 8, 10-11, and 16-17 are rejected under 35 U.S.C. 103 as being unpatentable over Burch et al. (EP 1841174; Hereinafter “Burch”) in view of Wei et al. (US 2012/0002813; Hereinafter “Wei”).
Regarding claim 1, Burch teaches a system comprising: a memory; and a processing device operatively coupled to the memory, the processing device to: 
detect a connection of an endpoint device at a network switch coupled to a network (Burch: Para. [0076], Responsive actions performed by user 305, WWW browser may issue an HTTP GET request directed to application servers 340 via Internet communications channel 320. This message may be routed to the reverse proxy 325 which, due to the configuration of firewall 310, may accept the request. Responsive to the receipt of the request, the reverse proxy 325 may access policy information 330.); 
restrict access of the endpoint device to prevent the endpoint device from accessing resources of the network (Burch: Para. [0077], After the policy information 330 is obtained, the reverse proxy 325 may determine that user 305 (first principal) is required to authenticate its identity before accessing application servers 340 (second principals). Para. [0078], The reverse proxy 325 may redirect user 305 to the identity service 360 to perform the required authentication using Internet communication channel 355. The interaction of user 305 with the identity service 360 is described in detail in conjunction with FIG. 2 and FIG. 4, discussed below. During the authentication process, user 305 may be required to produce a first set of credentials along with secondary identifiers 365. [redirection includes restriction of access to the resources of the network until authentication is perform]); 
establish a connection with the endpoint device (Burch: Para. [0079], Upon receipt of the redirected request, the reverse proxy 325 may identify authentication information embedded within it. This information could include a token identifying an authentication credential 375 encoded within the URL as in the Liberty and SAML specifications. Alternatively, the request itself may include an authentication credential 375 as an HTTP POST parameter. There are a number of ways authentication information may be included in the redirected request. The embodiments of the invention should not be read as limited to any particular technique. [connection is established via HTTP request]); 
validate a client certificate corresponding to the endpoint device to authenticate the endpoint device (Burch: Para. [0079], Para. [0018], Some of these techniques include Public Key Infrastructure (PKI) techniques including public-private key pairs, digital certificates. Para. [0043], Para. [0061], For example, rather than a password, the first credentials may include a PKI key/certificate pair); and 
grant the endpoint device access to the resources of the network (Burch: Para. [0082], After successfully authenticating the session of user 305, a request for the resource may be issued to the application servers 340 (second principals).).
Burch does not explicitly teach authenticate the endpoint device as a corporate device.  In an analogous art, Wei, in combination with Burch, teaches a system and method wherein authenticate the endpoint device as a corporate device (Wei: Para. [0007], the multi-service client integrates with an operating system of the device so as to provide a single entry point for user authentication for secure enterprise connectivity, endpoint security services including endpoint compliance with respect to anti-virus and spyware software, acceleration, and comprehensive integrity checks. Para. [0050], In some embodiments, VPN handler 68 incorporate a "host checker" module that inventories a state of mobile device 19, builds a health status report and passes the health status report to VPN gateway 12 at the time of login for processing and determination as to whether mobile device 19 is compliant with corporate policies. Para. [0067], VPN handler 68 uses the selected certificate for user authentication when establishing the VPN connection with secure VPN gateway 12 associated with the specified address or URL.).
It would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Wei with the system and method of Burch to include wherein authenticate the endpoint device as a corporate device because this functionality ensures that devices connecting to the enterprise network comply with corporate policies to protect network resources (Wei: Para. [0050]). 
Regarding claim 3, Burch, in combination with Wei, teaches the system of claim 1, wherein to establish the connection with the endpoint device, the processing device to receive a communication request from a network access control agent on the endpoint device (Burch: Para. [0010], An entity can be a resource, a user, an agent, an application, a system, a service, a group, a department, and object, or the like. An entity consumes information, provides information, provides a service to other entities over the network, or performs any combination of such operations. [an agent/application on a computer], Para. [0076], Wei: Para. [0069], In some cases, VPN control application 80 specifies a specific HTTP user agent in the HTTPS request during the login phase to signal to VPN gateway 12 that the requesting device is a mobile device, thereby allowing VPN gateway 12 to select customized web-pages for the device.).
It would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Wei with the system and method of Burch to include the processing device to receive a communication request from a network access control agent on the endpoint device because this (Wei: Para. [0038]). 
Regarding claim 4, Burch, in combination with Wei, teaches the system of claim 1, wherein to establish the connection with the endpoint device, the processing device to monitor network traffic through the switch and detect a presence of the endpoint device (Wei: Para. [0027], In the example of FIG. 1, endpoint computing devices 18 connect to network access device 36 via network switch 38. In one embodiment, network switch 38 may comprise digital subscriber line access multiplexers (DSLAMs) or other switching device. Each of endpoint computing devices 18 may utilize a Point-to-Point Protocol (PPP), such as PPP over ATM or PPP over Ethernet (PPPoE), to communicate with network switch 38. For example, using PPP, one of endpoint computing devices 18 may request access to broadband network 29 and provide login information, such as a username and password, for authentication by authentication device ("AD") 30. PPP may be supported on lines such as digital subscriber lines (DSLs) that connect endpoint computing devices 18 with network switch 38. [endpoint connects to network device via switch] Para. [0025]).
It would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Wei with the system and method of Burch to include wherein to establish the connection with the endpoint device, the processing device to monitor network traffic through the switch and detect a presence of the endpoint device because this functionality ensures that devices connecting to the enterprise network comply with corporate policies to protect network resources (Wei: Para. [0050]). 

Regarding claim 8, Burch teaches a method comprising:
detecting a connection of a client device to a network (Burch: Para. [0076], Responsive actions performed by user 305, WWW browser may issue an HTTP GET request directed to application servers 340 via Internet communications channel 320. This message may be routed to the reverse proxy 325 which, due to the configuration of firewall 310, may accept the request. Responsive to the receipt of the request, the reverse proxy 325 may access policy information 330.); 
establishing a connection between a network access control device and the client device (Burch: Para. [0079], Upon receipt of the redirected request, the reverse proxy 325 may identify authentication information embedded within it. This information could include a token identifying an authentication credential 375 encoded within the URL as in the Liberty and SAML specifications. Alternatively, the request itself may include an authentication credential 375 as an HTTP POST parameter. There are a number of ways authentication information may be included in the redirected request. The embodiments of the invention should not be read as limited to any particular technique. [connection is established via HTTP request]); 
authenticating, by a processing device, the client device based on a client security token (Burch: Para. [0042], For example, an authentication service, which implements the Liberty or SAML specification, may encode a token within the redirected request’s Uniform Resource Locator (URL). Para. [0042], In such a scenario, the processing, at 150, may open a secure communication link to the authentication service and issue a request for the authentication credential, which is associated with the token. The authentication service may then respond to the request by providing the credential associated with the token. Thus, at 150, the front-end service obtains the authentication credential. Para. [0067]-[0068], Para. [0079]); and 
Burch does not explicitly teach setting access permissions for the client device to restrict access to resources of the network; updating the access permissions to grant the client device access to the resources of the network in response to the authenticating.
In an analogous art, Wei, in combination with Burch, teaches a system and method wherein setting access permissions for the client device to restrict access to resources of the network (Wei: Para. [0067], display 125 presented by VPN control application 80 when the user selects input mechanism 122 (FIG. 7A) and creates a new user profile. In this example, the user is able to enter a profile name and a URL or address associated with the target enterprise. In some cases the user may also select a particular digital certificate from a list of certificates installed on mobile device 19. VPN handler 68 uses the selected certificate for user authentication when establishing the VPN connection with secure VPN gateway 12 associated with the specified address or URL. [selection of profile settings meets access permissions]); 
updating the access permissions to grant the client device access to the resources of the network in response to the authenticating (Wei: Para. [0070], display 137 presented by VPN control application 80 after VPN handler 68 has successfully authenticated the user logged into the enterprise and established the VPN connection with VPN gateway 12. In this case, the administrator has defined a plurality of different roles for the user. Moreover, each of the roles may be allow access to a specific set of protected resources 14. To further increase security, the administrator may configure secure VPN gateway 12 to present all or only an identified subset of the user's roles to the user when VPN access is being made through mobile device 19, which may be more readily stolen and compromised versus a home computer. In addition, the administrator may be able to further refine the set of roles available to the user based on position information received from mobile device 19 at the time the VPN connection is established, where the position information my comprise GPS coordinates of the mobile device, cell information identify a current cell, or a combination thereof For example, secure VPN gateway 12 may allow the administrator to define certain geographic regions and assign those geographic regions a level of trust. In addition, the administrator may specify a required level of trust for a role to be made available to a user over the VPN connection, and the required level of trust can be specified on a per-user basis. From the overall roles for the user, secure VPN gateway 12 constructs a set of roles to be presented to the user by mobile device 19. Secure VPN gateway 12 may determine the set, for example, based on a level of trust assigned by the administrator for the geographic region in which mobile device 19 is currently positioned as well as any user-specific threshold level of trust assigned by the administrator that must be met before a given role is available for the particular user when using a mobile device. For example, the administrator may specify a level of trust of `5` (e.g., full trust) for the United States and `3` (moderate trust) for a second geographic region that the administrator or enterprise policies deems more likely of a security risk. In addition, the administrator may assign a required level of `5` to an "administrator role." As such, those users eligible for the "administrator role" may be presented with such an option when accessing secure VPN gateway 12 within mobile device 19 from within the United States but not when accessing the secure VPN gateway from the second geographic region.).
It would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Wei with the system and method of Burch to include setting access permissions for the client device to restrict access to resources of the network; updating the access permissions to grant the client device access to the resources of the network in response to the authenticating because this functionality provides for configuration of access permission via user profiles and roles when connecting to the enterprise network to comply with corporate policies to protect network resources (Wei: Para. [0070]). 
Regarding claims 10-11, claims 10-11 are rejected under the same rational as claims 3-4, respectively.
Regarding claims 16-17, claims 16-17 are rejected under the same rational as claims 3-4, respectively.

Claim(s) 2, 6, and 9 are rejected under 35 U.S.C. 103 as being unpatentable over Burch et al. (EP 1841174; Hereinafter “Burch”) in view of Wei et al. (US 2012/0002813; Hereinafter “Wei”) in view of Damola et al. (US 2011/0002341; Hereinafter “Damola”) and further in view of Tsao et al. (US 7,574,202; Hereinafter “Tsao”).
Regarding claim 2, Burch, in combination with Wei, teaches the system of claim 1. Burch, in combination with Wei, does not explicitly teach wherein to restrict access of the endpoint device, the processing device to apply at least one of an access control list or a VLAN assignment to the switch, the access control list to define which resources of the network the endpoint device can access.  
(Damola: Para. [0049], a useful trust model is established as the local network owner explicitly specify that the user is allowed to remotely access the network, e.g. by adding the IMS identity of the user to an ACL (Access Control List) or the like of the local network. Hence, this trust model is leveraged on the notion that the user has been both authenticated and authorised by existing IMS security mechanisms prior to admitting his/her remote device 300 for access to the local network.)
It would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Damola with the system and method of Burch and Wei to include wherein to restrict access of the endpoint device, the processing device to apply at least one of an access control list or a VLAN assignment to the switch, the access control list to define which resources of the network the endpoint device can access because this functionality provides for enhanced efficiency because the user has both been authenticated and authorized by the existing security mechanisms, which are generally considered reliable and trustworthy (Damola: Para. [0049]). 
Burch, in combination with Wei and Damola, does not explicitly teach a VLAN assignment to the switch. 
In an analogous art, Tsao, in combination with Burch, Wei, and Damola, teaches a system and method wherein to restrict access of the endpoint device, the processing device to apply at least one of a VLAN assignment to the switch (Tsao: Col. 10, Lines 12-51, WLAN Switch 315 provides assignment of User Devices 311 to its appropriate VLAN through authenticating through the RADIUS (Remote Authentication Dial-In User Service) Server 320. In addition to Access Point 312 configurations, each WLAN Switch 315 is pre-configured with up to 4096 wireless VLANs, each with a unique text-based VLAN name and 802.1q tag number and port assignment. The WLAN Switch 315 is also configured with the IP addresses of RADIUS servers 320 and the priority of how to authenticate end users against them. When a User Device 311 authenticates against the appropriate RADIUS Server 320, it requests the appropriate credentials to validate the identity of the user (MAC address, username, password, certificate). Once the identity of the user has been established, any access policies attached to that user are applied. If the user passes the access policies, the WVLAN name that the end user is assigned to is returned to the WLAN switch 315, which then assigns the User Device 311. Col. 15, Lines 12-34, Lines 46-62, Col. 7, Lines 11-38)
It would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Tsao with the system and method of Burch, Wei, and Damola to include wherein restrict access of the endpoint device to prevent the endpoint device from accessing resources of the network by applying a VLAN assignment to the switch because this functionality provides for separation of User Devices into distinct logical groups for connection to a corporate network as tenant or guest while ensuring privacy of wireless traffic information (Tsao: Col. 10, Lines 46-51). 
Regarding claim 6, Burch, in combination with Wei, Damola, and Tsao, teaches the system of claim 2, wherein to grant the endpoint device access to the resources of the network, the processing device to update the access control list (Damola: Para. [0067], In response thereto, RA server 602 retrieves and adds a SIP URI of user X in the ACL and updates service data for the local gateway in the HSS node 604, e.g. including the above-described filter criteria, in a step 6:3. [Damola teaches updating the ACL in accordance with endpoint device after successful authentication] Para. [0083], Having received the notification, RA server 806 then updates the IMS based ACL by adding the user's IMS identity thereto, in a further step 9:10. RA server 806 also sends the OK message to IMS client 812 in a step 9:11.) for the switch based on characteristics of the endpoint device and access policy considerations of the network Burch: Para. [0015], There are generally three types of assertions: an authentication assertion used to validate a principal’s electronic identity, an attribute assertion that includes specific attributes about the principal, an authorization assertion that identifies what the principal is permitted to do (e.g. policies). Para. [0024], the reverse proxy may act as a policy enforcement point, only allowing access to its servers to principals who have adequately authenticated their identity and/or fulfill other policy requirements. Para. [0033]-[0039] [Burch teaches utilization of policies during authentication attempts; it would be obvious to combine the policy teachings of Burch with the updating of ACL in Damola]).
Regarding claim 9, claim 9 is rejected under the same rational as claim 2.

Claim(s) 7 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Burch et al. (EP 1841174; Hereinafter “Burch”) in view of Wei et al. (US 2012/0002813; Hereinafter “Wei”) and further in view of Rotem et al. (US 2017/0185793; Hereinafter “Rotem”).
Regarding claim 7, Burch, in combination with Wei, teaches the system of claim 1.   Burch, in combination with Wei, does not explicitly teach wherein the processing device further to: not restrict access of the endpoint device to the resources of the network when a network access control device in the network suffers a failure during authentication of the endpoint device.  
In an analogous art, Rotem, in combination with Burch and Wei, teaches a system and method wherein the processing device further to: not restrict access of the endpoint device to the resources of the network when a network access control device in the network suffers a failure during authentication of the endpoint device (Rotem: Para. [0059], It will be appreciate by those skilled in the art that embodiments of the present invention have the advantage of being fail-safe; namely, if security manager 310 fails then the enterprise does not lose its access to services 220, 230 and 240. Para. [0071], Para. [0011]).   
It would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Rotem with the system and method of Burch and Wei to include wherein the processing device further to: not restrict access of the endpoint device to the resources of the network when a network access control device in the network suffers a failure during authentication of the endpoint device because this functionality provides for fail-safe mechanism to prevent a (Rotem: Para. [0071]). 
Regarding claim 13, claim 13 is rejected under the same rational as claim 7.

Claim(s) 15 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Burch et al. (EP 1841174; Hereinafter “Burch”) in view of Damola et al. (US 2011/0002341; Hereinafter “Damola”) and further in view of Tsao et al. (US 7,574,202; Hereinafter “Tsao”).
Regarding claim 15, claim 15 is rejected under the same rational as claim 2.
Regarding claim 19, claim 19 is rejected under the same rational as claim 6.

Claim(s) 20 is rejected under 35 U.S.C. 103 as being unpatentable over Burch et al. (EP 1841174; Hereinafter “Burch”) in view of Rotem et al. (US 2017/0185793; Hereinafter “Rotem”).
Regarding claim 20, claim 20 is rejected under the same rational as claim 7.

Allowable Subject Matter
Regarding claims 5, 12, and 18, Claims 5, 12, and 18 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Nelson Giddins whose telephone number is (571)272-7993.  The examiner can normally be reached on Monday - Friday, 9:00 AM - 5:00 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on (571) 272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/NELSON S. GIDDINS/             Primary Examiner, Art Unit 2437