DETAILED ACTION
This communication is responsive to the application # 16/399,301 filed on April 30, 2019. Claims 1-20 are pending and are directed toward ONBOARDING AN UNAUTHENTICATED CLIENT DEVICE WITHIN A SECURE TUNNEL.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


 Claims 1-5, 9, 10-14, and 19 are rejected under 35 U.S.C. 102(a)(1) as being unpatentable over Pomak et al. (Enterprise WiFi Hotspot Authentication with Hybrid Encryption on NFC-Enabled Smartphones, IEEE 2018, pages 247-250), hereinafter referred to as Pomak.
As per claim 1, Pomak teaches a method comprising:
All exchanged data are encrypted via hybrid cryptosystem module which turns into the secure tunnel communication. Pomak, page 248);
receiving, by the network device, user credentials associated with the user and transmitted from the unauthenticated client device within the secure tunnel (3) Set up certificates: Fig. 4 and Fig. 5 illustrate the interfaces for setting up CA and user certificates, respectively. It requires PIN, fingerprint or password from the device owner. This step represents the factor of "what you know" or "what you are" during the authentication process. Pomak, page 249);
validating, by the network device, the received user credentials (Fig. 3 illustrates the authentication steps when users connect to the enterprise Wi-Fi hotspot. The process consists of four main stages: I) Unlock Keystore, 2) Exchange certificates over NFC, 3) Setup certificates, and 4) Auto Wi-Fi connect. Pomak, page 249); and
transmitting, by the network device, at least a security certificate and device configuration information to the unauthenticated client device within the secure tunnel such that the unauthenticated client device is able to access the restricted network after installing the security certificate and applying the device configurations based on the received device configuration information (Figure 2. Procedures of certificates transmission via hybrid cryptosystem. Pomak, page 249).
As per claim 2, Pomak teaches the method of claim 1, wherein the secure tunnel comprises at least one of an Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) and a Protected Extensible Authentication Protocol (PEAP)-EAP-TLS (EAP-Transport Layer Security (EAP-TLS), defined in RFC 5216 [8], is an IEEE 802.1X EAP authentication method that utilizes the TLS protocol (RPC 5246) [9]. EAP-TLS provides mutual authentication between the supplicant and the authentication server based on X.509 digital certificates which uses a public key infrastructure (PKI) concept generated by a certification authority (CA) program. The certificate contains the name of server or issuer which is required for the authentication server and for every EAP-TLS client. Typically, EAP-TLS consists of three core components: I) authenticator, 2) supplicant, and 3) backend authentication server (RADIUS). This authentication approach is considered as the most secure EAP method used in WLANs today. Pomak, page 248).
As per claim 3, Pomak teaches the method of claim 1, wherein the security certificate is used to validate the user in an authentication process compliant with IEEE 802.1X standard (EAP-Transport Layer Security (EAP-TLS), defined in RFC 5216 [8], is an IEEE 802.1X EAP authentication method that utilizes the TLS protocol (RPC 5246) [9]. EAP-TLS provides mutual authentication between the supplicant and the authentication server based on X.509 digital certificates which uses a public key infrastructure (PKI) concept generated by a certification authority (CA) program. The certificate contains the name of server or issuer which is required for the authentication server and for every EAP-TLS client. Typically, EAP-TLS consists of three core components: I) authenticator, 2) supplicant, and 3) backend authentication server (RADIUS). This authentication approach is considered as the most secure EAP method used in WLANs today. Pomak, page 248).
As per claim 4, Pomak teaches the method of claim 1, wherein the security certificate comprises one or more of: a device certificate and a user certificate (A certificate manager is an assistant to ensure that users correctly install the obtained certificates from the provider. It requires two certificates on the client device: user certificate (user.pI2) and root certificate authority (CA.crt). This module is essential for user privacy as setting up certificates without user's awareness could lead to serious consequent issues. Pomak, page 248).
As per claim 5, Pomak teaches the method of claim 1, wherein the device configuration information comprises one or more of: profile information, connectivity setting information, and security setting information (The NFC reader (ACRI22U) connects up the authentication server as data exchange channel. NFC is utilized in exchange for network configuration information with hybrid cryptosystem scheme. It is divided into two separate workflows: 1) Certificates transmission, and 2) Wi-Fi Authentication. Pomak, page 249).
As per claim 9, Pomak teaches the method of claim 1, wherein both authentication of the user and enrollment of the unauthenticated client device are completed in a single transaction within the secure tunnel (The session key is encrypted by the server's public key which turns into encrypted data (cipher) and returns to server. The server-side gets the message and uses its private key to decrypt the encrypted session key. Then cipher message is reproduced and feed its payload through HMAC algorithm to produce MI value, which is added at the end of the master encrypted data then deliver back to the smartphone. The client-side checks the message integrity by reproducing another MAC value (M2) using its session key and the obtained cipher from the server. Next, the produced value of M2 is compared with the received value of Ml. If they are identical then store the certificate data and continue to receive next packages, otherwise, the message needs to be discarded. Pomak, page 249).
Claims 10-14 and 19 have limitations similar to those treated in the above rejection, and are met by the references as discussed above, and are rejected for the same reasons of anticipation as used above.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 6, 15 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Pomak et al. (Enterprise WiFi Hotspot Authentication with Hybrid Encryption on NFC-Enabled Smartphones, IEEE 2018, pages 247-250), in view of Wilson (US 8,392,712, Mar.5, 2013), hereinafter referred to as Pomak and Wilson.
As per claim 6, Pomak teaches the method of claim 1, but does not teach a captive portal, Wilson however teaches wherein the network device refrains from assigning a temporary Internet Protocol (IP) address to the unauthenticated client device, redirecting the unauthenticated client device to a captive portal, (One type of "device fingerprinting" involves analysis of contents within a Dynamic Host Configuration Protocol (DHCP) Options field of a DHCP Discovery message. Client device 110 broadcasts a DHCP Discovery message in efforts to obtain an Internet Protocol (IP) address for use on network 100. In many cases, the content within the DHCP Options field suggests capabilities ( e.g., information directed to functionality of the device such as operating system used, authentication protocol(s) supported, etc.) and/or type of device ( e.g., information to identify the device such as manufacturer name, product name, etc.), which may assist authenticator 160 in determining whether client device 110 should be placed into a provisioning role. Herein, the device capabilities and/or device type information, which are explicitly identified or inferred, may be generally referred to as "device characteristics". More specifically, if authenticator 160 is unable to recognize an identity of client device 110 as the device characteristics is not identifiable, client device 110 is placed into a provisioning role, which restricts its access to network resources 150 and, in some cases, may trigger communications with Captive Portal instance 230 for subsequent requests for access to network resources 150. Wilson, Column 4, lines 56-67 – Column 5, lines 1-11) and facilitating the unauthenticated device to download a client-side onboarding application prior to transmitting the security certificate and the device configuration information to the unauthenticated client device within the secure tunnel (The reason is that, for Windows® and MAC OS® X platforms, from the web browser, a program can be selected for download and run. For electronic devices with the Android® OS, however, the credential provisioning program needs to be pre-loaded before it can be run. For instance, a small MIME type file can be loaded onto the Android® device that is registered with the QuickConnect™ application on the phone. The browser then starts the QuickConnect™ application, which proceeds to obtain the unique device credential(s) from the provisioning logic as set forth in operations 630-636. Wilson, Column 10, lines 17-26).
Pomak in view of Wilson are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Pomak in view of Wilson. This would have been desirable because as an example, controller 210 may restrict access to network resources 150 by redirecting certain messages from client device 110 to a Captive Portal instance 230 supported by authentication system 130. (Wilson, Column 4, lines 33-36).

Claims 15 and 20 have limitations similar to those treated in the above rejection, and are met by the references as discussed above, and are rejected for the same reasons of obviousness as used above.

Claims 7, 8  and 16-18 are rejected under 35 U.S.C. 103 as being unpatentable over Pomak et al. (Enterprise WiFi Hotspot Authentication with Hybrid Encryption on NFC-Enabled Smartphones, IEEE 2018, pages 247-250), in view of Inverse (Network Devices Configuration Guide for PacketFence version 8.0.0, April 2018, 195 pages), hereinafter referred to as Pomak and Inverse.
As per claim 7, Pomak teaches the method of claim 1, but does not teach re-authentication, Inverse however teaches further comprising:
transmitting, by the network device, a re-authentication request such that the unauthenticated client device uses updated configurations based on the received device configuration information to complete its authentication to access the restricted network (At this point, user registration with the captive-portal is possible and registered users should have access to the appropriate VLANs. However, VLAN changes (like after a registration) won’t automatically happen, you will need to disconnect / reconnect. An explanation is provided in introduction section above about this behavior. Inverse, page 98).
Pomak in view of Inverse are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Pomak in view of Inverse. This would have been desirable because Wireless network access configuration is a lot more consistent between vendors. This is due to the fact that the situation is a lot more standardized than the wired side: VLAN assignment is done centrally with RADIUS and that the client protocol is consistent (MAC-Authentication or 802.1X). This consistency has the benefit that a lot of the wireless network devices tend to work out-of-the-box with PacketFence. The only missing piece being, in most cases, remote deauthentication of the client which is used for VLAN assignment (deauth user so it’ll reconnect and get new VLAN). So, even if your wireless equipment is not explicitly supported by PacketFence, it’s recommended that you give it a try. The next section covers the objectives that you want to accomplish for trying out your equipment even if we don’t have configuration for it (Inverse, page 98).

As per claim 8, Pomak in view of Inverse teaches the method of claim 7, wherein the re-authentication request (Enable 802.1X globally dot1x-enable re-authentication enable ethe 1/1/xx, Inverse, page 21) comprises at least one of a Change of Authorization (CoA) message (CoA configuration aaa server radius dynamic-author client 192.168.1.5 server-key useStrongerSecret port 3799, Inverse, page 28) and a packet of disconnect (PoD) message (You can try modules similar to your equipment if any (read appropriate instructions) or you can try to see if RFC3576 is supported. RFC3576 covers RADIUS Packet of Disconnect (PoD) also known as Disconnect Messages (DM) or Change of Authorization (CoA). You can try the Aruba module if you want to verify if RFC3576 is supported by your hardware. Inverse, page 98).
Pomak in view of Inverse are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Pomak in view of Inverse. This would have been desirable because Wireless network access configuration is a lot more consistent between vendors. This is due to the fact that the situation is a lot more standardized than the wired side: VLAN assignment is done centrally with RADIUS and that the client protocol is consistent (MAC-Authentication or 802.1X). This consistency has the benefit that a lot of the wireless network devices tend to work out-of-the-box with PacketFence. The only missing piece being, in most cases, remote deauthentication of the client which is used for VLAN assignment (deauth user so it’ll reconnect and get new VLAN). So, even if your wireless equipment is not explicitly supported by PacketFence, it’s recommended that you give it a try. The next section covers the objectives that you want to accomplish for trying out your equipment even if we don’t have configuration for it (Inverse, page 98).

Claims 16-18 have limitations similar to those treated in the above rejections, and are met by the references as discussed above, and are rejected for the same reasons of obviousness as used above.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to OLEG KORSAK whose telephone number is (571)270-1938.  The examiner can normally be reached on 5:00 AM- 4:00 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


/OLEG KORSAK/
Primary Examiner, Art Unit 2492