Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This is in response to the amendments filed on 04/07/2021.  Claims 1, 5, 8, 12, 15 and 19 have amended.  Claims 1-20 are pending and have been considered.

Priority
Acknowledgement is made of no claim of foreign priority

Drawings
The drawings filed on 10/26/2020 are accepted.

Specification
The specification filed on 10/26/2020 is accepted.

Response to Arguments
Applicant's arguments with respect to 103 rejection such as “Applicant respectfully submits that neither Hoghaug nor Bender teach or suggest as these recited claim elements. In light of the above amendments, Applicant respectfully submits that the rejection under § 103 is overcome and requests allowance of the claims.”, remarks pages 13-14 have been considered  Rykiwski U.S. 9,843572 B2 and Potter et al U.S. 2006/0026670 A1.

Claim Objections
Claims 2, 9 and 16 are objected to because of the following informalities:  the Claims recite the limitations of “verifying the certificate enrolment request at the certificate authority”, the examiner notes that the independent claims 1, 8 and 15 have been amended to add the above limitations without amended the dependent claims to remove such limitations.  Appropriate correction is required.
Claims 5, 12 and 19 are objected to because of the following informalities:  the Claims recite the limitations of “verifying the certificate enrolment request at the certificate authority”, the examiner notes that the independent claims 1, 8 and 15 have been amended to add the above limitations without amended the dependent claims to remove such limitations.  Appropriate correction is required.
Claim 8 is objected to because of the following informalities:  claim 8 recites on line 8 the limitations of “at an authentication server”, it should be “at the authentication server”.  Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that 

Claims 1-4, 6-11, 13-18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Hoghaug U.S. 2013/0212653 A1 in view of Bender et al U.S. 2009/0222657 A1 in further view of Rykiwski U.S. 9,843572 B2 and Potter et al U.S. 2006/0026670 A1.
Claims 1 and 15: Hoghaug teaches a method for connecting a user device to a (secure network) protected network and a computer program product for connecting a user device to a protected network, the computer program product comprising a non-transitory computer-readable medium program having program instructions embodied therewith (par.87-90), the program instructions executable by a processor to perform an operation comprising: 
receiving a secure network access request for the user device from the protected network at an authentication server (par.85, a request to access a network resource is received at a server, from a client device);
authenticating the user device, at the authentication server, using credential associated with a certified application on the user device, where the credentials comprise a username and password to access the certified application (Fig. 5, 6, par. 24-28, 57-63, user may transmit a request 108 to the authentication server 104. The request includes information identifying the user and the client device 102. Information to identify the user may include one or more of a username, a password, a PIN, or other identifying indicia):
upon authenticating the user device connecting the user device to the protected network (par.25-28, If the authentication server 104 responds to the network resource 106 verifying that the client device 102 has an existing reservation, then the network resource 106 allows the client device 102 access); 
Hoghaug does not explicitly teaches, however Bender et al in the same field of endeavor teaches 
enrolling the user device by verifying a certificate enrollment request at a certificate authority and issuing an identity certificate to the user device, where the identity certificate is used by the user device to authenticate the user device in subsequent attempts to connect to the protected network (par. 77, 26-27, 45, 71-73, 85-86. In response to receipt of the request message, the host server establishes a connection with the CA, requests and obtains the digital certificate from the CA on behalf of the mobile device, and thereafter “pushes” the received digital certificate to the mobile device. The mobile device receives the digital certificate and stores it for use in subsequent communications. For example, the mobile device may thereafter obtain access to the communication network via the WLAN which is adapted to authenticate the mobile device based on the digital certificate).
Bender et al in order to provide the ability for mobile device to receive the digital certificate and store it for use in subsequent communications wherein the mobile device to obtain access to the communication network via the WLAN which is adapted to authenticate the mobile device based on the digital certificate, as suggested by Bender et al par.71.
The combination does not explicitly teaches, however Potter et al in the same field of endeavor teaches 
transmitting a change authorization message to the protected network (par.8, RFC 3576 defines a change of Authorization message, for the RADIUS protocol, which an AAA server may send to cause an access device to change authorization characteristics for a single supplicant);
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the combined disclosure of Hoghaug with the additional features of Potter et al in order to provide centralized management of on-demand mass posture re-validation, wherein a single authentication server 120 can trigger re-validation of thousands of supplicants across the entire network, even if different authentication servers manage basic authentication processes for many of the supplicants, as suggested by Potter et al par.60.
 Rykowski in the same field of endeavor teaches 
receiving a subsequent secure network access request, wherein the subsequent secure network access request comprises the identity certificate (par.33, The management service 112 can validate the identity certificate 138 provided by the operating system 143 and reply with an authentication key 142 to the installation of the managed application 147, which store the authentication key 142 for subsequent communications with the management service 112 or another server or application providing access to a resource); and
validating the identity certificate received in the subsequent secure network access request (par.33, 35, 43, the management service 112 can validate the identity certificate 138 provided by the operating system 143 and reply with an authentication key 142 to the installation of the managed application 147, which store the authentication key 142 for subsequent communications with the management service 112 or another server or application providing access to a resource).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the combined disclosure of Hoghaug with the additional features of Rykowski in order to provide the ability for facilitating distribution of an authentication code to installation of managed applications, as suggested by Rykowski abstract.
Claim 8: Hoghaug teaches a system for connecting a user device to a protected network, comprising: 
a processor (par. 87-90, Fig.11, item 1102); and
a memory comprising instructions which, when executed on the processor, performs an operation (par.87-90, Fig. 11, items 1102, 1104, and 1106), the operation comprising:
receiving a secure network access request for the user device from the protected network at an authentication server (par.85, a request to access a network resource is received at a server, from a client device);
authenticating the user device, at the an authentication server, using credentials associated with a certified application on the user device, where the credentials comprise a username and password to access the certified application (Fig. 5,6 par. 24-28, 57-63, user may transmit a request 108 to the authentication server 104. The request includes information identifying the user and the client device 102. Information to identify the user may include one or more of a username, a password, a PIN, or other identifying indicia):
upon authenticating the user device connecting the user device to the protected network (par.25-28, If the authentication server 104 responds to the network resource 106 verifying that the client device 102 has an existing reservation, then the network resource 106 allows the client device 102 access); and
Hoghaug does not explicitly teaches, however Bender et al in the same field of endeavor teaches 
 enrolling the user device by at least by verifying a certificate enrollment request at a certificate authority and issuing an identity certificate to the user device, where the identity certificate is used by the user device to authenticate the user device in subsequent attempts to connect to the protected network (par. 77, 26-27, 45, 71-73, 85-86. In response to receipt of the request message, the host server establishes a connection with the CA, requests and obtains the digital certificate from the CA on behalf of the mobile device, and thereafter “pushes” the received digital certificate to the mobile device. The mobile device receives the digital certificate and stores it for use in subsequent communications. For example, the mobile device may thereafter obtain access to the communication network via the WLAN which is adapted to authenticate the mobile device based on the digital certificate).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Hoghaug with the additional features of Bender et al in order to provide the ability for mobile device to receive the digital certificate and store it for use in subsequent Bender et al par.71.
The combination does not explicitly teaches, however Potter et al in the same field of endeavor teaches 
transmitting a change authorization message to the protected network (par.8, RFC 3576 defines a change of Authorization message, for the RADIUS protocol, which an AAA server may send to cause an access device to change authorization characteristics for a single supplicant);
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the combined disclosure of Hoghaug with the additional features of Potter et al in order to provide centralized management of on-demand mass posture re-validation, wherein a single authentication server 120 can trigger re-validation of thousands of supplicants across the entire network, even if different authentication servers manage basic authentication processes for many of the supplicants, as suggested by Potter et al par.60.
The combination does not explicitly teaches, however Rykowski in the same field of endeavor teaches 
par.33, The management service 112 can validate the identity certificate 138 provided by the operating system 143 and reply with an authentication key 142 to the installation of the managed application 147, which store the authentication key 142 for subsequent communications with the management service 112 or another server or application providing access to a resource); and
validating the identity certificate received in the subsequent secure network access request (par.33, 35, 43, the management service 112 can validate the identity certificate 138 provided by the operating system 143 and reply with an authentication key 142 to the installation of the managed application 147, which store the authentication key 142 for subsequent communications with the management service 112 or another server or application providing access to a resource).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the combined disclosure of Hoghaug with the additional features of Rykowski in order to provide the ability for facilitating distribution of an authentication code to installation of managed applications, as suggested by Rykowski abstract.
Claims 2, 9 and 16: the combination further comprising:
Bender et al par.26, 68), wherein authenticating the user device comprises:
receiving an authentication indication, wherein the authentication indication comprises the credentials associated with the certified application (Hoghaug, par.85-86, Bender et al, par.45);
verifying the authentication indication using stored user information associated with an identification repository and the credentials associated with the certified application (Hoghaug, par.85-86, Bender et al, par.61-63, 72, 85); and
upon verification of the authentication indication, issuing an authentication token to the certified application on the user device (Hoghaug, par.85-86, Bender et al, par.61-63, 72, 85); and
 wherein enrolling the user device comprises (Bender et al, par.77-85):
receiving a certificate enrollment request from the certified application at a certificate authority, wherein the certificate enrollment request comprises the issued authentication token (Bender et al, par.77-85);
Bender et al, par-77-85).
The same motivation to modify Hoghaug in view of Bender et al applied to claims 1, 8 and 15 above applies here.
Claims 3, 10 and 17: the combination teaches wherein connecting the user device to the protected network comprises:
receiving the secure network access request from the protected network at the authentication server, wherein the secure network access request is transmitted from the protected network in response to an association request and identification from the user device, and wherein the secure network access request comprises the identity certificate issued to the certified application (Hoghaug, par.85-86, Bender et al, par.61-63, 72, 85);
authorizing the secure network access request using the identity certificate received in the secure network access request(Bender et al, par.61-63, 72, 85); and
Bender et al, par.61-63, 72, 85).
The same motivation to modify Hoghaug in view of Bender et al applied to claims 2, 9 and 16 above applies here.
Claim 4, 11 and 18:   the combination teaches   further comprising configuring the user device with connection credentials subsequent to receiving a secure network access request from the protected network (Hoghaug, par.29, 32-33), wherein connecting the user device to the protected network comprises:
receiving the secure network access request from the protected network at the authentication server, wherein the secure network access request is transmitted from the protected network in response to an association request and identification from the user device, and wherein the secure network access request comprises the credentials associated with the certified application received from the user device at the protected network (Hoghaug, par.32-4);
wherein authenticating the user device comprising the certified application comprises:
authorizing the secure network access request using stored user information associated with an identification repository and the credentials associated with the certified application (Hoghaug, par. 32-40); and

sending an accept message to the protected network, wherein the protected network provides a network connection to the user device in response to receiving the accept message (Hoghaug, par. 41-43).
Claim 6, 13 and 20: the combination teaches:     
 reconnecting the user device to the protected network by (Bender et al, par.71):
receiving a reconnect secure network access request from the protected network, wherein the reconnect secure network access request is transmitted from the protected network in response to an association request from the user device (Bender et al, par.71-72);
authorizing the reconnect secure network access request using a previously issued identity certificate (Bender et al, par.71-72); and
upon authorizing the reconnect secure network access request, sending a accept message to the protected network, wherein the protected network provides a network connection to the user device in response to receiving the accept message (Bender et al, par.71-72).
The same motivation to modify Hoghaug in view of Bender et al applied to claims 1, 8 and 15 above applies here.
Claims 7 and 14:    the combination teaches 
wherein the protected network comprises an enterprise network, wherein the enterprise network comprises a plurality of access points located in distinct locations (Bender et al, Fig.2, pr.21-22, 40-41).
The same motivation to modify Hoghaug in view of Bender et al applied to claims 1 and 8 above applies here.

Allowable Subject Matter
Claims 5, 12 and 19 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
The following prior art are cited to further show the state of the art at the time of applicant’s invention.
Menezes et al U.S. 9,112,861 B2 Registration and network access control.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  

Any inquiry concerning this communication or earlier communications from the examiner should be directed to FATOUMATA TRAORE whose telephone number is (571)270-1685.  The examiner can normally be reached on 6:30-3:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SHEWAYE GELAGAY can be reached on 5712724219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have 






Saturday, July 24, 2021
/FATOUMATA TRAORE/Primary Examiner, Art Unit 2436