Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2016, is being examined under the first inventor to file provisions of the AIA . 

DETAILED ACTION
This Office Action is in response to the application 15/591,382 filed on 05/10/2017. Claims 1, 10, and 16 have been amended; claims 2-3, 11 and 17 have been cancelled. Claims 1, 10, and 16 are independent claims. Claims 1, 4-10, 12-16, 18-20 have been examined and are pending. 
Authorization for this Examiner’s Amendment was given via email with Applicant’s representative, Mr. Glenn Snyder (Reg. No.: 41,428). Mr. Snyder has agreed and authorized the Examiner to amended claims 1, 10 and 16, and cancel claims 2-3, 10 and 17. 

Examiner’s Amendments
Claims
Replacing claims 1-20 as follows:

1.	(Currently amended) A method, comprising:
	receiving credentials of a user of a client device;
 	receiving an enrollment request from the client device, wherein the enrollment request includes an Internet Protocol (IP) address of the client device, and wherein the enrollment 
retrieving, using the credentials of the user, one or more approved IP subnet ranges associated with the client device, wherein the one or more approved IP subnet ranges are allocated by a network service provider associated with the client device;
comparing the IP address of the client device in the enrollment request to the one or more approved IP subnet ranges associated with the client device;
determining to enroll the client device in the token and location-based auto-authentication service based on determining that the IP address of the client device is within an approved IP subnet range of the one or more approved IP subnet ranges associated with the client device;
generating a token comprising the IP address and an identifier of the user based on determining to enroll the client device in the token and location-based auto-authentication service;
generating a timestamp that indicates a time at which the token is being generated, wherein the token further comprises the generated timestamp;
	appending the timestamp, the identifier of the user, and the IP address to one another to generate the token;
	encrypting the token;
storing, in an entry of a database, an indication that the user is enrolled in automatic authentication;
	sending the encrypted token to the client device; 
	receiving, when the client device attempts to access a protected resource or a network service, a current IP address of the client device and the encrypted token from the client device 
authenticating the client device when the IP address from the encrypted token received from the client device matches the current IP address of the client device; and
granting the client device access to the protected resource or the network service when the client device is authenticated.

2.	(Cancelled) 

3.	(Cancelled) 

4.	(Original) The method of claim 1, wherein the token further comprises a refresh timestamp that indicates a time at which the token expires.

5.	(Previously presented) The method of claim 4, further comprising:
	appending the refresh timestamp, the identifier of the user, and the IP address to one another to generate the token.

6.	(Previously presented) The method of claim 1, further comprising:
	receiving a request to access the protected resource or the network service, wherein the request includes the current IP address of the client device and the encrypted token.


	decrypting the encrypted token to produce a decrypted token;
	extracting the IP address from the decrypted token;
	comparing the extracted IP address with the current IP address; and
	authenticating the client device based on the comparison without requiring the credentials of the user.

8.	(Previously presented) The method of claim 7, further comprising:
extracting the identifier of the user from the decrypted token; and
	using, if the comparison indicates that the current IP address and the extracted IP address do not match, the identifier of the user to perform a database lookup to determine if the current IP address belongs to the user.

9.	(Previously presented) The method of claim 8, further comprising:
	granting, if the comparison indicates that the current IP address and the extracted IP address match, the client device access to the protected resource or network service.

10.	(Currently amended) A network device, comprising:
 	a communication interface, implemented in hardware, connected to a network that:
receives credentials of a user of a client device, and
receives an enrollment request from the client device, wherein the enrollment request includes an Internet Protocol (IP) address of the client device, and wherein the 
a processor, implemented in hardware, that:
retrieves, using the credentials of the user, one or more approved IP subnet ranges associated with the client device, wherein the one or more approved IP subnet ranges are allocated by a network service provider associated with the client device,
compares the IP address of the client device in the enrollment request to the one or more approved IP subnet ranges associated with the client device,
determines to enroll the client device in the token and location-based auto-authentication service based on determining that the IP address of the client device is within an approved IP subnet range of the one or more approved IP subnet ranges associated with the client device, 
generates a token comprising the IP address and an identifier of the user based on determining to enroll the client device in the token and location-based auto-authentication service,
generates a timestamp that indicates a time at which the token is being generated, wherein the token further comprises the generated timestamp,
appends the timestamp, the identifier of the user, and the IP address to one another to generate the token,
encrypts the token, and
stores, in an entry of a database, an indication that the user is enrolled in automatic authentication,
wherein the communication interface further: 	

	receives, when the client device attempts to access a protected resource or a network service, a current IP address of the client device and the encrypted token from the client device for authenticating the client device without further requiring the credentials of the user, wherein the encrypted token includes the IP address of the client device included in the enrollment request received from the client device, and
wherein the processor further:
authenticates the client device when the IP address from the encrypted token received from the client device matches the current IP address of the client device, and
grants the client device access to the protected resource or the network service when the client device is authenticated.

11.	(Cancelled) 

12.	(Previously presented) The network device of claim 10, wherein the token further comprises a refresh timestamp that indicates a time at which the token expires, and wherein the processor further:
	appends the refresh timestamp, the identifier of the user, and the IP address to one another to generate the token.

13.	(Previously presented) The network device of claim 10, wherein the communication interface further: 


 14.	(Previously presented) The network device of claim 13, wherein the processor further:
	decrypts the encrypted token to produce a decrypted token;
	extracts the IP address from the decrypted token;
	compares the extracted IP address with the current IP; and
	authenticates the client device based on the comparison without requiring the credentials of the user.

15.	(Previously presented) The network device of claim 14, wherein the processor further:
extracts the identifier of the user from the decrypted token,
	uses, if the comparison indicates that the current IP address and the extracted IP address do not match, the identifier of the user to perform a database lookup to determine if the current IP address belongs to the user, and
	grants, if the comparison indicates that the current IP address and the extracted IP address  match, the client device access to the protected resource or network service.
	
16.	(Currently amended) A non-transitory storage medium storing instructions executable by a computational device, wherein the instructions comprise instructions to cause the computational device to:
	receive credentials of a user of a client device;

retrieve, using the credentials of the user, one or more approved IP subnet ranges  associated with the client device;
compare the IP address of the client device in the enrollment request to the one or more approved IP subnet ranges associated with the client device, wherein the one or more approved IP subnet ranges are allocated by a network service provider associated with the client device;
determine to enroll the client device in the token and location-based auto-authentication service based on determining that the IP address of the client device matches an approved IP subnet range of the one or more approved IP subnet ranges associated with the client device;
generate a token comprising the network address and an identifier of the user based on determining to enroll the client device in the token and location-based auto-authentication service;
generate a timestamp that indicates a time at which the token is being generated, wherein the token further comprises the generated timestamp;
append the timestamp, the identifier of the user, and the IP address to one another to generate the token;
	encrypt the token;
store, in an entry of a database, an indication that the user is enrolled in automatic authentication;
send the encrypted token to the client device; 

authenticate the client device when the IP address from the encrypted token received from the client device matches the current IP address of the client device; and
grant the client device access to the protected resource or the network service when the client device is authenticated.

17.	(Cancelled) 

18.	(Previously presented) The non-transitory storage medium of claim 16, wherein the token further comprises a refresh timestamp that indicates a time at which the token expires, and wherein the instructions further comprise instructions to cause the computational device to:
	append the refresh timestamp, the identifier of the user, and the IP address to one another to generate the token.

19.	(Previously presented) The non-transitory storage medium of claim 16, wherein the instructions further comprise instructions to cause the computational device to:
	receive a request to access the protected resource or the network service, wherein the request includes the current IP address of the client device and the encrypted token;
	decrypt the encrypted token to produce a decrypted token;

	compare the extracted network address with the current IP address; and
	authenticate the client device based on the comparison without requiring the credentials of the user.

20.	(Previously presented) The non-transitory storage medium of claim 19, wherein the instructions further comprise instructions to cause the computational device to:
extract the identifier of the user from the decrypted token,
	use, if the comparison indicates that the current IP address and the extracted IP address do not match, the identifier of the user to perform a database lookup to determine if the current IP address belongs to the user, and
	grant, if the comparison indicates that the current IP address and the extracted network match, the client device access to the protected resource or network service.


Examiner’s Statement of Reasons for Allowance

Claims 1, 4-10, 12-16, and 18-20 are allowed. 
The following is an examiner’s statement of reasons for allowance. 
The invention is directed to methods, devices and non-transitory storage medium storing instructions provided for token and device location-based automatic client device authentication, for protected resource access, according to exemplary embodiments of the invention. A "protected resource," as referred to herein includes any type of network service access requiring user authentication, or any type of network device access (e.g., 

Upon receipt of the enrollment request, including the network address of client device 100, authentication system 120 retrieves a user ID that is associated with user 110, and obtains a current timestamp. The user ID may have been previously stored in an account database in association with an established account of user 110. Authentication system 120 then generates a token, for user 110 and client device 100, which includes the network address of client device 100, the user identifier (ID) associated with user 110, and the timestamp. The generated token may include other types of data items, in 

The closest prior art include Todasco (“Todasco,” US 20170046712, filed Aug. 11, 2015), Danciu (“Danciu,” US 20150242597, published Aug. 27, 2015), Junod et al. (“Junod,” US 20130247217, published Sept. 19, 2013), Lof et al. (“Lof,” US 20140310779, published Oct. 16, 2014) are also generally directed to various aspects of a method/system/non-transitory computer readable medium token-based authentication. 
However, none of Todasco, Danciu, Junod, or Lof teaches or suggests, alone or in combination, the particular combination of steps or elements as recited in the independent claims 1, 10, and 16. For example, these references fails to teach all limitations recited in claims 1, 10 and 16 as a whole, especially “A method, comprising: receiving credentials of a user of a client device; receiving an enrollment request from the client device, wherein the enrollment request includes an Internet Protocol (IP) address of the client 
These features in light of other features described in the independent claims 1, 10 and 16 are allowable over the prior art of record. 
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to void processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.” 


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EDWARD LONG whose telephone number is (571)272-8961.  The examiner can normally be reached on Monday to Friday, 9 AM - 6 PM EST (Alternate Fridays).
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571) 270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 




/EDWARD LONG/
Examiner, Art Unit 2439    

/LUU T PHAM/            Supervisory Patent Examiner, Art Unit 2439