PNG
    media_image1.png
    340
    340
    media_image1.png
    Greyscale
United States Patent and Trademark Office    
        
            
                                
            
        
    

Commissioner for Patents
United States Patent and Trademark Office
P.O. Box 1450
Alexandria, VA 22313-1450
www.uspto.gov











BEFORE THE PATENT TRIAL AND APPEAL BOARD


Application Number: 16/531,315
Filing Date: 5 Aug 2019
Appellant(s): Schatzmann et al.



__________________
Rami N. Moussa
Reg. No. 69,528
For Appellant


EXAMINER’S ANSWER





This is in response to the appeal brief filed on 05/13/2021.





(1) Grounds of Rejection to be Reviewed on Appeal
Every ground of rejection set forth in the Office action dated 10/13/2020 from which the appeal is taken is being maintained by the examiner except for the grounds of rejection (if any) listed under the subheading “WITHDRAWN REJECTIONS.”  New grounds of rejection (if any) are provided under the subheading “NEW GROUNDS OF REJECTION.”

(2) Response to Argument

Argument I
	With respect to the 35 U.S.C. 103(a) rejection of claims 21 and 31, appellant argued that the art on record, Stieglitz (US Pub. No. 2006/0185001) in view of Chesla (US Pub. No. 2013/0254879), fails to teach the limitation, “… generating a challenge for network equipment to be onboarded into the managed network, wherein the challenge comprises information relating to a configuration change to be made to network equipment”. Examiner respectfully disagrees.

 	Response I
A review of the prior art of the record (Stieglitz), corresponding to the above argued claim limitation reveals that the argued claim limitation is disclosed by the Stieglitz’s reference as (emphasis added), (paragraph 50 of Stieglitz, in step 202, the authentication server 110 performs an extensible authentication protocol (EAP)-based exchange between the remote device 130, and an authentication server 110 to allow the remote device 130 to authenticate its identity to the authentication server 110 to allow access to the network. This EAP-based exchange creates a secured tunnel through the gateway device 120 to allow less secure methods of authentication to execute within the secured tunnel, in a protected manner) and (paragraph 70 of Stieglitz, in step 219, the remote device 130 chooses the most acceptable device configuration 190 from the multiple device configurations 190 transmitted to the remote device 130 from the authentication server 110, and the remote device 130 installs the most acceptable device configuration 190) and (paragraph 71 of Stieglitz, the authentication server 110 when an extensible authentication protocol the authentication server 110 verifies the remote device 130 has installed the device configuration 190. If the remote device 130 has not installed the device configuration 190, the authentication server 110 transmits the device configuration 190 to the remote device 130. Only when the device configuration 190 has been installed on the remote device 130, will the remote device 130 be allowed to access the network 100). As disclosed in Stieglitz’s reference, the authentication server performs an extensible authentication protocol (EAP) based on the communication (i.e., request and response communication considered as the claimed challenge) with remote device and request the remote device to install some kind of configuration data/information and verifies whether or not the remote device installed the configuration data. Also according to Stieglitz’s reference, the only time that the remote device 130 allowed to access the network is when the remote device installed the configuration information and verified by the authentication server 110. 
Appellant also mentioned that Stieglitz’s references fails to teach the claimed challenge includes configuration related information (see page 8 of appellant argument). Examiner would like to point out that during the performance of the authentication exchange, the authentication server 110 identifies configuration selection characteristic associated with the remote device 130 and based on the identification, the authentication server provides the device configuration 190 to the remote device. During the authentication process (i.e., during challenge/response process) the authentication server allow the remote device to install the device configuration prior to being allowed access to the network (see paragraphs 51-53 of Stieglitz’s reference). Since the authentication server of Stieglitz provides the device configuration information and forces the remote device to install it during the authentication process (i.e., during challenge/response process), the Stieglitz’s reference clearly disclose that the challenge includes the configuration related information. 
In addition, examiner would point out that the same response as above applies to appellant’s repeated argument about the limitation, generating a challenge for network equipment to be onboarded into the managed network, wherein the challenge comprises information relating to a configuration change to be made to network equipment, in page 6-8 of appellant remark. 

Argument II
	With respect to the 35 U.S.C. 103(a) rejection of claims 21 and 31, appellant argued that the art on record, Stieglitz in view of Chesla, fails to teach the limitation“… sending the challenge to a communication device different from the equipment network”. Examiner respectfully disagrees.

 	Response II
A review of the prior art of the record (Stieglitz), corresponding to the above argued claim limitation reveals that the argued claim limitation is disclosed by the Stieglitz’s reference as (emphasis added), (paragraph 50 of Stieglitz, in step 202, the authentication server 110 performs an extensible authentication protocol (EAP)-based exchange between the remote device 130, and an authentication server 110 to allow the remote device 130 to authenticate its identity to the authentication server 110 to allow access to the network. This EAP-based exchange creates a secured tunnel through the gateway device 120 (i.e., the claimed communication device) to allow less secure methods of authentication to execute within the secured tunnel, in a protected manner). Also see the gateway device 120, the EAP request 180 in fig. 2 of Stieglitz.
Appellant also mentioned that the combination of Stieglitz’s references fails to teach or suggest that the gateway device 120, which examiner equates with the claimed communication device, communicates with the server 110 separately and independently of the communications of the remote device 13 (see page 10 of appellant argument). Examiner would like to point out that the term used in argument (i.e., separately or independently) are not claimed in the claim language. Stieglitz’s references discloses that EAP exchange does not go to the remote device instead it goes to the gateway device 120 first and then to the remote device. Therefore, Stieglitz teaches the argued claim limitation, sending the challenge to a communication device different from the equipment network, by sending the EAP exchange to the remote device through the gateway device 120 as disclosed in fig. 2 of Stieglitz. 

 Argument III
	With respect to the 35 U.S.C. 103(a) rejection of claims 21 and 31, appellant argued that the art on record, Stieglitz in view of Chesla, fails to teach the limitation “… wherein the challenge is sent over a connection that is different than a connection used in communicating with the network equipment”. Examiner respectfully disagrees.

 	Response III
A review of the prior art of the record (Chesla), corresponding to the above argued claim limitation reveals that the argued claim limitation is disclosed by the Stieglitz’s reference as (emphasis added), (paragraph 13 of Chesla, upon reception of only an inbound traffic diverted from a client, wherein the inbound traffic is suspected to include malicious threats; establishing a new encrypted session with the client; responding to a client's request received over the new encrypted session with an encrypted client web challenge; determining if the client correctly responds to the encrypted client web challenge). According to Chesla, the encrypted client web challenge is transmitted over the new encrypted session (i.e., different from the communication that the client used to send the request) in order to respond to the client request. Therefore, Chesla discloses the claimed limitation, “… wherein the challenge is sent over a connection that is different than a connection used in communicating with the network equipment” as disclosed in the previous office action. 
Appellant also mentioned that the combination of Stieglitz’s and Chesla’s references fails to teach that the reference clearly requires to show different connection with different end device (see page 11 of appellant argument). Examiner would like to point out that Stieglitz’s references teaches the method of connecting with different end device (i.e., the gateway device 120 of Stieglitz) but fails to discloses the method of sending the challenge over a different connection. However, Chesla teaches the differnet connection as, establishing a new encrypted session with the client (see paragraph 13 of Chesla). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the connection with different end device of Stieglitz with a new encrypted connection of Chesla’s reference.

Argument IV
	With respect to dependent claims 22 and 32 appellant argued that the claims are depends on argued independent claims 21 and 31 (see argument I above) respectively and therefore they are patentable.

 	Response IV
Examiner would point out that claims 21 and 31 are not patentable because of Response I above.

Argument V
	With respect to the 35 U.S.C. 103(a) rejection of claims 23 and 33, appellant argued that the art on record, Stieglitz in view of Chesla, fails to teach the limitation“… determining that the configuration change is made comprises: transmitting one or more test signals to the network equipment; and receiving one or more test response signals from the network equipment”. Examiner respectfully disagrees.

 	Response V
A review of the prior art of the record (Stieglitz), corresponding to the above argued claim limitation reveals that the argued claim limitation is disclosed by the Stieglitz’s reference as (emphasis added), (Paragraph 64 of Stieglitz, in step 214, the authentication server 110 extends the PEAP or TLV-FAST protocol to include a sub-type field that receives values for a requested configuration status from the remote device 130, in the extensible authentication protocol configuration exchange message, EAP response 195, sent to the authentication server 110 from the remote device 1) and (paragraph 65 of Stieglitz, in step 215, the authentication server 110 extends the PEAP or TLV-FAST protocol to include a sub-type field confirming an event was executed by the remote device 130, in the extensible authentication protocol configuration exchange message, EAP response 195, sent to the authentication server 110 by the remote device 130).
Appellant also mentioned that Stieglitz’s references fails to teach a configuration test signal and response to the test signal (see page 14 of appellant argument). Examiner would like to point out that 

Argument VI
	With respect to the 35 U.S.C. 103(a) rejection of claims 24 and 34, appellant argued that the art on record, Stieglitz in view of Chesla, fails to teach the limitation“… selectively onboarding the network equipment to the managed network, based on outcome of the configuration change”. Examiner respectfully disagrees.

 	Response VI
A review of the prior art of the record (Stieglitz), corresponding to the above argued claim limitation reveals that the argued claim limitation is disclosed by the Stieglitz’s reference as (emphasis added), (Paragraph 73 of Stieglitz, the authentication server 110 verifies the remote device 130 has installed the device configuration 190. If the remote device 130 has not installed the device configuration 190, the authentication server 110 transmits the device configuration 190 to the remote device 130. Only when the device configuration 190 has been installed on the remote device 130, will the remote device 130 be allowed to access the network 100). Examiner would like to point out that the broad but reasonable interpretation of the claimed “selectively onboarding the network equipment to the managed network based on outcome of the configuration change” is that the only way the network equipment/remote device selected to be onboard or access the network if and only if the required configuration has been installed on the network equipment/remote device. Therefore, paragraph 73 of Stieglitz’s reference clearly teaches examiner interpretation as indicated above. 


Argument VII
	With respect to the 35 U.S.C. 103(a) rejection of claims 25 and 35, appellant argued that the art on record, Stieglitz in view of Chesla and further in view of Karasawa (US Pub, No. 2011/0185171), fails … the managed network is one of a plurality of managed networks; and wherein selectively onboarding the network equipment comprises selecting to which of the plurality of managed netwoks the network equipment is onboarded”. Examiner respectfully disagrees.

 	Response VII
A review of the prior art of the record (Karasawa), corresponding to the above argued claim limitation reveals that the argued claim limitation is disclosed by the Stieglitz’s reference as (emphasis added), (paragraph 1 of Karasawa, the present invention relates to a certificate authenticating method that authenticates a certificate issued to be used for using a service on a different network, a certificate issuing device and an authentication device) and (paragraph 20 of Karasawa, according to the present invention, even in the case where a NW access terminal cannot use information retained in a NW service relay device, a third party institution issues a digital certificate that proves that the NW access terminal can use information retained in the NW service relay device, thereby enabling the NW access terminal to be authenticated for another NW service). The combination of Stieglitz and Chesla fails to disclose the method of selecting to which of the plurality of networks the network equipment/access terminal can get onboard/access. However, Karasawa teaches this limitation as the access terminal can mediate between differently managed plurality of networks to obtain authentication for accessing another network service (see paragraphs 20-21).

Argument VIII
	With respect to the 35 U.S.C. 103(a) rejection of claims 26 and 36, appellant argued that the art on record, Stieglitz in view of Chesla, fails to teach the limitation“… wherein the configuration change comprises configuring one or more connections to and/or within the network equipment”. Examiner respectfully disagrees.

 	Response VIII
the authentication server 110 detects another connection attempt 170 by the remote device 130. The authentication server 110 performs an abbreviated authentication exchange by comparing the checksum value to an identity associated with the remote device 130 to determine whether the remote device 130 has previously successfully completed the authentication exchange) and (paragraph 6 of Stieglitz, during the authentication exchange, the authentication server identifies characteristics about the company laptop, which aids the authentication server in selecting the appropriate network configuration for that company laptop. In other words, in one configuration, there may be multiple available configurations and the system explained herein can select one of such configurations for application to the remote device based on some characteristics. These characteristics can be, for example, the location of the company laptop within the network (e.g., a sub-network or port upon which the connection attempt is made), the access level within the network the company laptop is requesting, the role and/or type of the company laptop, or other characteristics).

Argument IX
	With respect to the 35 U.S.C. 103(a) rejection of claims 27 and 37, appellant argued that the art on record, Stieglitz in view of Chesla, fails to teach the limitation“… wherein the one or more connections comprise at least one local connection to a network device local to and different from the network equipment”. Examiner respectfully disagrees.

 	Response IX
A review of the prior art of the record (Stieglitz), corresponding to the above argued claim limitation reveals that the argued claim limitation is disclosed by the Stieglitz’s reference as (emphasis added), (Paragraph 76 of Stieglitz, the authentication server 110 detects another connection attempt 170 by the remote device 130. The authentication server 110 performs an abbreviated authentication exchange by comparing the checksum value to an identity associated with the remote device 130 to determine whether the remote device 130 has previously successfully completed the authentication exchange) and (paragraph 6 of Stieglitz, during the authentication exchange, the authentication server identifies characteristics about the company laptop, which aids the authentication server in selecting the appropriate network configuration for that company laptop. In other words, in one configuration, there may be multiple available configurations and the system explained herein can select one of such configurations for application to the remote device based on some characteristics. These characteristics can be, for example, the location of the company laptop within the network (e.g., a sub-network or port upon which the connection attempt is made), the access level within the network the company laptop is requesting, the role and/or type of the company laptop, or other characteristics).

Argument X
	With respect to the 35 U.S.C. 103(a) rejection of claims 28 and 38, appellant argued that the art on record, Stieglitz in view of Chesla, fails to teach the limitation“… wherein the one or more connections comprise at least one local connection between two different ports of the network equipment”. Examiner respectfully disagrees.

 	Response X
A review of the prior art of the record (Stieglitz), corresponding to the above argued claim limitation reveals that the argued claim limitation is disclosed by the Stieglitz’s reference as (emphasis added), (Paragraph 76 of Stieglitz, the authentication server 110 detects another connection attempt 170 by the remote device 130. The authentication server 110 performs an abbreviated authentication exchange by comparing the checksum value to an identity associated with the remote device 130 to determine whether the remote device 130 has previously successfully completed the authentication exchange) and (paragraph 6 of Stieglitz, during the authentication exchange, the authentication server identifies characteristics about the company laptop, which aids the authentication server in selecting the appropriate network configuration for that company laptop. In other words, in one configuration, there may be multiple available configurations and the system explained herein can select one of such configurations for application to the remote device based on some characteristics. These characteristics can be, for example, the location of the company laptop within the network (e.g., a sub-network or port upon which the connection attempt is made), the access level within the network the company laptop is requesting, the role and/or type of the company laptop, or other characteristics).

Argument XI
	With respect to dependent claims 29 and 39 appellant argued that the claims are depends on argued independent claims 21 and 31 (see argument I above) respectively and therefore they are patentable.

 	Response XI
Examiner would point out that claims 21 and 31 are not patentable because of Response I above.

Argument XII
	With respect to the 35 U.S.C. 103(a) rejection of claims 30 and 40, appellant argued that the art on record, Stieglitz in view of Chesla and further in view of Karasawa, fails to teach the limitation, “… communicating with the network equipment via a first network and a second network that is different than the first network, wherein: the onboarding request is received via the first network; and onboarding related messages are communicated from the onboarding controller to the network equipment via the second network”. Examiner respectfully disagrees.

 	Response XII
A review of the prior art of the record (Karasawa), corresponding to the above argued claim limitation reveals that the argued claim limitation is disclosed by the Stieglitz’s reference as (emphasis added), (paragraphs 13-15 of Karasawa, according to a third aspect of the present invention, an authentication device that is configured to authenticate a terminal device capable of connecting to a first network by using a communication ID to allow the terminal device to connect to a second network comprises: storing means; challenge generating means that is configured to generate a challenge when an authentication request is received from the terminal device, retain the challenge in the storing means and transmit the challenge to the terminal device via the second network). The combination of Stieglitz and Chesla fails to disclose the method of communicating with the first network and second network to receive request and transmit onboarding related message respectively. However, Karasawa teaches this limitation as, the terminal device is capable of connecting to a first network before the authentication and transmit the authentication challenge to the terminal device using the second network (see paragraphs 13-15 of Karasawa).



For the above reasons, it is believed that the rejections should be sustained.
Respectfully submitted,

/TESHOME HAILU/Primary Examiner, Art Unit 2434  
                                                                                                                                                                                                      
Conferees:
/DANT B SHAIFER HARRIMAN/Primary Examiner, Art Unit 2434 

                                                                                                                                                                                                       /KAMBIZ ZAND/Supervisory Patent Examiner, Art Unit 2434                                                                                                                                                                                                        


Requirement to pay appeal forwarding fee.  In order to avoid dismissal of the instant appeal in any application or ex parte reexamination proceeding, 37 CFR 41.45 requires payment of an appeal forwarding fee within the time permitted by 37 CFR 41.45(a), unless appellant had timely paid the fee for filing a brief required by 37 CFR 41.20(b) in effect on March 18, 2013.

.