DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
This is a reply to the application filed on 05/22/2019, in which, claim(s) 1-20 are pending. Claim(s) 1, 13 and 19 are independent.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 05/22/2019, has been reviewed. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the examiner is considering the information disclosure statement.

Drawings
The drawings filed on 05/22/2019 are accepted by The Examiner.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1, 3-13, and 15-20 are rejected under 35 U.S.C. 103 as being unpatentable Gibbons et al. (US 2018/0288048 A1, cited by the applicant in the 05/22/2019 IDS) in view of Lander et al. (US 2017/0331832 A1).
Regarding claim 1, Gibbons discloses A method, comprising: 
receiving an access-request message associated with a client device and a user of the client device, the access-request message pertaining to requested access to a network resource managed, in part, by a policy management (PM) system connected to a network infrastructure (see Fig. 1, subscriber devices, [0025], “When BNG 10 receives authentication data from the subscriber in a request to access SP network 12 services, BNG 10 sends a RADIUS protocol Access-Request (message) to RADIUS server 14”, in Fig. 1 a network system “perform policy management” [0052] to a network infrastructure); 
obtaining an attribute representing a first policy rule to be applied to resource requests from the user, the first policy rule representing an enforcement policy of the PM system ([0025], “Access-Request (message) to RADIUS server 14 containing attributes 18 such as the subscriber user name and password, an identifier for BNG 10 (e.g., the "BNG-ID"), BNG 10 network address, and the Port ID the subscriber is accessing”, i.e. the attribute representing a first policy rule to be applied to resource requests from the user); 
augmenting a record to each of a plurality of PM nodes collectively providing functionality of the PM system, the record to provide each of the plurality of PM nodes information about the attribute and the first policy rule ([0033], “outputting RADIUS messages 16 with attributes 18 that indicate a bulk multiple CoA requests identified by a common transaction identifier attribute”); and 
propagating the record throughout the plurality of PM nodes of the PM system ([0006], “enabling bulk delivery of change of authorization (CoA) data (i.e. the record) via AAA protocols”, “send multiple RADIUS messages having portions of the CoA data”, [0033], “initiates the transaction by outputting RADIUS messages”).  
Gibbons does not explicitly teach but Lander teaches in a distributed data store accessible ([0207], “a distributed data grid 1200 which stores data and provides data access to clients”).
Gibbons and Lander are analogous art as they are in the same field of endeavor of information technology. At the time of invention, it would have been obvious to one of ordinary skill in the art to augment a record (as taught by Gibbons) in a distributed data store accessible (as taught by Lander) to each of the plurality of PM nodes. The motivation/suggestion would have been for storing cached objects to speed up performance of identity management in a cloud system (Lander, [0002], [0110]).

Regarding claim 3, the combined teaching of Gibbons and Lander teaches wherein the access-request message is received at a first PM node of the plurality of PM nodes and the attribute is obtained from a data base external to the first PM node, the data base containing information about a plurality of policy rules including the first policy rule (Gibbons, [0026], “RADIUS server 14 may outsource some AAA functionality to one or more backend servers”, “external database 24” in Fig. 1).

Regarding claim 4, the combined teaching of Gibbons and Lander teaches sharing at least a portion of the information about the attribute and the policy rule with an infrastructure device of the network infrastructure via a remote authentication dial-in user service (RADIUS) protocol message (Gibbons, [0028], “Radius server 14 may initiate a change of services at BNG 10 using RADIUS messages 16”).

 Regarding claim 5, the combined teaching of Gibbons and Lander teaches wherein sharing at least the portion of the information comprises embedding the portion of information within a segment of the RADIUS protocol message in conformance with an industry standard for a RADIUS protocol (Gibbons, [0002], “An extension to the RADIUS protocol commonly used to initiate a change of authorization (CoA) is the Dynamic Authorization Extensions to RADIUS”).

Regarding claim 6, the combined teaching of Gibbons and Lander teaches wherein the infrastructure device of the network infrastructure determines compliance of the first policy rule based on the RADIUS protocol message (Gibbons, [0025], “Access-Request (message) to RADIUS server 14 containing attributes 18 such as the subscriber user name and password, an identifier for BNG 10 (e.g., the "BNG-ID"), BNG 10 network address, and the Port ID the subscriber is accessing”, “If RADIUS server 14 includes a configuration record for the subscriber and the authentication credentials are correct, RADIUS server 14 returns a RADIUS protocol 

Regarding claim 7, the combined teaching of Gibbons and Lander teaches wherein the access-request message is received at a first PM node of the plurality of PM nodes (Gibbons, [0024], “to a specified RADIUS server 14”) and further comprising: 
receiving an accounting-request message at a second PM node of the plurality of PM nodes (Gibbons, [0024], “to a specified RADIUS server 14, a device that receives and processes connection requests or receives and processes connection requests or accounting messages sent by BNG 10”); 
updating the record to reflect the accounting-request message and create an updated record (Gibbons, [0026], “External database 24 is a backend database that RADIUS server 14 may use to store accounting information”, [0030], “RADIUS server 14 may determine an updated set of services for the subscriber of SP network 12”) in the distributed data store (Lander, [0207], “a distributed data grid 1200 which stores data”); and 
propagating the updated record throughout the plurality of PM nodes of the PM system (Gibbons, [0025], “RADIUS server 14 may store or forward this information to support billing for the services provided”).  

Regarding claim 8, the combined teaching of Gibbons and Lander teaches sharing at least a portion of information from the updated record with an infrastructure device of the network infrastructure via a remote authentication dial-in user service (RADIUS) protocol message (Gibbons, [0026], “RADIUS server 14 may outsource some AAA functionality to one or more backend servers”, [0028], “Radius server 14 may initiate a change of services at BNG 10 using RADIUS messages 16”).

Regarding claim 9, the combined teaching of Gibbons and Lander teaches wherein the infrastructure device of the network infrastructure is a firewall or a network authentication server (NAS) (Gibbons, [0026], “RADIUS server 14 may outsource some AAA functionality to one or more backend servers, such as (network) authentication server 22). 

  Regarding claim 10, the combined teaching of Gibbons and Lander teaches wherein sharing the at least a portion of the information from the updated record is performed by a third PM node of the plurality of PM nodes, based on information propagated from the second PM node (Gibbons, [0025], “RADIUS server 14 may store or forward this information to support billing for the services provided”, [0026], “External database 24 (i.e. 3rd PM node) is a backend database that RADIUS server 14 may use to store accounting information”).

 Regarding claim 11, the combined teaching of Gibbons and Lander teaches wherein performance of the third PM node of the plurality of PM nodes is indicated by a load balancing capability of the PM system (Lander, [0258], “load balancer for load balancing”).

 Regarding claim 12, the combined teaching of Gibbons and Lander teaches wherein each of the plurality of PM nodes of the PM system are nodes of a cluster configuration implemented to collectively provide functionality of the PM system as a high-availability (HA) PM system (Lander, [0114], “to provide high level service”, [0208], “a high-performance network”).

Regarding claim 13, Gibbons discloses A network infrastructure device to manage authentication, authorization, and accounting (AAA) activities on a first network (Abstract, “a RADIUS server (as the network infrastructure device) for a service provider network (i.e. the first network)”, [0026], “RADIUS server 14 may outsource some AAA functionality to one or more backend servers”), the network infrastructure device comprising: 
a network interface communicatively coupled to the first network ([0034], “RADIUS server 14 includes control unit 30 and network interface 32”); 
a processing device communicatively coupled to the network interface ([0034], “RADIUS server 14 includes control unit 30 and network interface 32”); and 
a non-transitory storage medium readable by the processing device and storing instructions, that when executed by the processing device ([0053], “Control unit may comprise one or more processors that execute software instructions, such as those used to define a software or computer program, stored to a computer-readable storage medium”), cause the network infrastructure device to provide functionality of a first PM node of a plurality of PM nodes ([0026], “RADIUS server 14 may outsource some AAA functionality to one or more backend servers”), and to: 
receive an access-request message associated with a client device and a user of the client device, the access-request message pertaining to requested access to a network resource of the first network and managed, in part, by a policy management (PM) system connected to the first network (see Fig. 1, subscriber devices, [0025], “When BNG 10 receives authentication data from the subscriber in a request to access SP network 12 services, BNG 10 sends a RADIUS Access-Request (message) to RADIUS server 14”, in Fig. 1 a network system “perform policy management” [0052]); 
obtain an attribute representing a first policy rule to be applied to resource requests from the user, the first policy rule representing an enforcement policy of the PM system ([0025], “Access-Request (message) to RADIUS server 14 containing attributes 18 such as the subscriber user name and password, an identifier for BNG 10 (e.g., the "BNG-ID"), BNG 10 network address, and the Port ID the subscriber is accessing”, i.e. the attribute representing a first policy rule to be applied to resource requests from the user); 
augment a record to each of the plurality of PM nodes collectively providing functionality of the PM system, the  record to provide each of the plurality of PM nodes information about the attribute and the first policy rule ([0033], “outputting RADIUS messages 16 with attributes 18 that indicate a bulk transaction having multiple CoA requests identified by a common transaction identifier attribute”); and 
propagate the record throughout the plurality of PM nodes of the PM system ([0006], “enabling bulk delivery of change of authorization (CoA) data (i.e. the record) via AAA protocols”, “send multiple RADIUS messages having portions of the CoA data”, [0033], “initiates the transaction by outputting RADIUS messages”).  
Gibbons does not explicitly teach but Lander teaches in a distributed data store accessible ([0207], “a distributed data grid 1200 which stores data and provides data access to clients”).


Regarding claim 15, the combined teaching of Gibbons and Lander teaches share at least a portion of the information about the attribute and the policy rule with a different infrastructure device of the network infrastructure via a remote authentication dial-in user service (RADIUS) protocol message (Gibbons, [0026], “RADIUS server 14 may outsource some AAA functionality to one or more backend servers”, [0028], “Radius server 14 may initiate a change of services at BNG 10 using RADIUS messages 16”).

Regarding claim 16, the combined teaching of Gibbons and Lander teaches
receive, via data store propagation, data regarding an accounting-request message processed at a second PM node of the plurality of PM nodes (Gibbons, [0024], “to a specified RADIUS server 14, a device that receives and processes connection requests or receives and processes connection requests or accounting messages sent by BNG 10”); and 
update a local instance to reflect the accounting-request message and create an updated record (Gibbons, [0026], database that RADIUS server 14 may use to store accounting information”, [0030], “RADIUS server 14 may determine an updated set of services for the subscriber of SP network 12”) in the distributed data store (Lander, [0207], “a distributed data grid 1200 which stores data”); and 
forward the data regarding the accounting-request to a third PM node of the plurality of PM nodes (Gibbons, [0025], “RADIUS server 14 may store or forward this information to support billing for the services provided”, [0026], “External database 24 (i.e. 3rd PM node) is a backend database that RADIUS server 14 may use to store accounting information”).  

Regarding claim 17, the combined teaching of Gibbons and Lander teaches share at least a portion of information from the updated record with a different infrastructure device of the network infrastructure via a remote authentication dial-in user service (RADIUS) protocol message (Gibbons, [0026], “RADIUS server 14 may outsource some AAA functionality to one or more backend servers”, [0028], “Radius server 14 may initiate a change of services at BNG 10 using RADIUS messages 16”).

Regarding claim 18, the combined teaching of Gibbons and Lander teaches wherein the different infrastructure device of the network infrastructure is a firewall or a network authentication server (NAS) (Gibbons, [0026], “RADIUS server 14 may outsource some AAA functionality to one or more backend servers, such as (network) authentication server 22). 

Regarding claim 19, Gibbons discloses A non-transitory computer readable medium comprising instructions stored thereon that, when executed by a processor of a first network infrastructure device (Abstract, “a RADIUS server (as the network infrastructure device) for a service provider network (i.e. the first network)”, [0053], “Control unit may comprise one or more processors that execute software instructions, such as those used to define a software or computer program, stored to a computer-readable storage medium”), cause the first network infrastructure device to:
receive an access-request message associated with a client device and a user of the client device, the access-request message pertaining to requested access to a network resource of a first network and managed, in part, by a policy management (PM) system connected to the first network (see Fig. 1, subscriber devices, [0025], “When BNG 10 receives authentication data from the subscriber in a request to access SP network 12 services, BNG 10 sends a RADIUS protocol Access-Request (message) to RADIUS server 14”, in Fig. 1 a network system “perform policy management” [0052], “a service provider network”, i.e. the first network); 
obtain an attribute representing a first policy rule to be applied to resource requests from the user, the first policy rule representing an enforcement policy of a distributed PM system ([0025], “Access-Request (message) to RADIUS server 14 containing attributes 18 such as the subscriber user name and password, an identifier for BNG 10 (e.g., the "BNG-ID"), BNG 10 network address, and the Port ID the 
augment a record to each of a plurality of PM nodes collectively providing functionality of the distributed PM system, the record to provide each of the plurality of PM nodes information about the attribute and the first policy rule ([0033], “outputting RADIUS messages 16 with attributes 18 that indicate a bulk transaction having multiple CoA requests identified by a common transaction identifier attribute”); and 
propagate the record throughout the plurality of PM nodes of the distributed PM system ([0006], “enabling bulk delivery of change of authorization (CoA) data (i.e. the record) via AAA protocols”, “send multiple RADIUS messages having portions of the CoA data”, [0033], “initiates the transaction by outputting RADIUS messages”); and
share at least a portion of the information about the attribute and the first policy rule with a second infrastructure device of the first network via a remote authentication dial-in user service (RADIUS) protocol message ([0018], “a network system having a Remote Access Dial in User Service (RADIUS) server that supports bulk delivery of change of authorization (CoA) data”, [0026], “RADIUS server 14 may outsource some AAA functionality to one or more backend servers, such as (network) authentication server 22”, i.e. the second infrastructure device).  
Gibbons does not explicitly teach but Lander teaches in a distributed data store accessible ([0207], “a distributed data grid 1200 which stores data and provides data access to clients”).


Regarding claim 20, the combined teaching of Gibbons and Lander teaches
wherein the access-request message is received at a first PM node of the plurality of PM nodes (Gibbons, [0024], “to a specified RADIUS server 14”) and further comprising instructions to cause the network infrastructure device to:
receive, via data store propagation, data regarding an accounting-request message processed at a second PM node of the plurality of PM nodes (Gibbons, [0024], “to a specified RADIUS server 14, a device that receives and processes connection requests or receives and processes connection requests or accounting messages sent by BNG 10”); and 
update a local instance to reflect the accounting-request message and create an updated record (Gibbons, [0026], “External database 24 is a backend database that RADIUS server 14 may use to store accounting information”, [0030], “RADIUS server 14 may determine an updated set of services for the subscriber of SP network 12”) in the distributed data store (Lander, [0207], “a distributed data grid 1200 which stores data”); and 
forward the data regarding the accounting-request to a third PM node of the plurality of PM nodes (Gibbons, [0025], “RADIUS server 14 may store or forward this information to support billing for the services provided”, [0026], “External database 24 (i.e. 3rd PM node) is a backend database that RADIUS server 14 may use to store accounting information”); and 
share at least a portion of information from the updated record with a different infrastructure device of the network infrastructure via a remote authentication dial-in user service (RADIUS) protocol message, wherein the different infrastructure device lacks direct access to the distributed data store (Gibbons, [0026], “RADIUS server 14 may outsource some AAA functionality to one or more backend servers”, [0028], “Radius server 14 may initiate a change of services at BNG 10 using RADIUS messages 16”).



Claims 2 and 14 are rejected under 35 U.S.C. 103 as being unpatentable Gibbons et al. (US 2018/0288048 A1, cited by the applicant in the 05/22/2019 IDS) in view of Lander et al. (US 2017/0331832 A1) further in view of Chirca et al. (US 2014/0115279 A1).
Regarding claims 2 and 14, the combined teaching of Gibbons and Lander teaches wherein the distributed data store (Lander, [0207], “a distributed data grid 1200 which stores data”) having a locally accessible data store for each of the plurality of PM nodes of the PM system to maintain shared information about states of client devices and a plurality of policy rules including the first policy rule, each of the plurality of policy rules enforced by the PM system (Gibbons, Abstract, “a RADIUS server for a service provider network”, [0025], “Access-Request (message) to RADIUS server 14 containing attributes 18 such as the subscriber user 
The combined teaching of Gibbons and Lander does not explicitly teach but Chirca teaches a multi-master cache (title, “Multi-Master Cache”).
Gibbons, Lander and Chirca are analogous art as they are in the same field of endeavor of information technology. At the time of invention, it would have been obvious to one of ordinary skill in the art to augment a record in a distributed data store accessible to each of the plurality of PM nodes (as taught by the combined teaching of Gibbons and Lander) wherein the distributed data store represents a multi-master cache (as taught by Chirca). The motivation/suggestion would have been to provide very high bandwidth access (Chirca, Abstract).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHENG-FENG HUANG whose telephone number is (571)272-6186.  The examiner can normally be reached on Monday-Friday: 9 am - 5 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A Shiferaw can be reached on (571) 272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/CHENG-FENG HUANG/Primary Examiner, Art Unit 2497