DETAILED ACTION
This Office Action is in response to the communication filed on 08/13/2019. 
Claims 1-20 are pending. 
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Objections
Claims 7, and 17-20 are objected to because of the following informalities: 
"the validating" as recited in claim 7 should read "the validating the network access server."
There is insufficient antecedent basis for the limitations "the instructions to the network access server with the network access server internet protocol address by the computer system" and "the policy management system" as recited in claim 17. 
There is insufficient antecedent basis for the limitation "the computer system" as recited in claim 18.
"The non-transitory computer readable medium of claim 15" as recited in claims 19 and 20 should read "The non-transitory computer readable medium of claim 18."
. 
Appropriate correction is required.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Hughes et al. (US 2009/0158392) in view of Sakura et al. (US 2014/0068707).
Claim 1, Hughes teaches: 

receiving a digital certificate through a secure connection from a network access server, the secure connection passing through a network address translation device; (e.g. [0010], "NAS 110 is generally in selective communication with a dynamic authentication broker 115. NAS 110 is configured to…selectively provide an authentication request to authentication broker 115. Authentication credentials may include, for instance, a user name and an associated network password, hardware token identifier, PKI certificate, etc. The authentication request, which may be transmitted as a single transmission or a series of transmissions, includes at least the authentication credentials and a NAS identifier, such as the IP address of the NAS 110" [0013], "Authentication broker 115 may also be in communication with at least one authentication mechanism, such as authentication server 135" [0014], "the authentication server 135 may validate the supplied credentials against an internal component such as a text file, database, other internal data structure, or may validate the credentials against an external component such as an external database server, a PKI server, a token server, etc. Authentication server 135 may validate the credentials received…and may provide a response to the requesting service on authentication broker 115, indicating whether the credentials have been successfully authenticated" [0019], 
validating the digital certificate with a policy management system; (e.g. [0022], "Authentication broker 115 may further be in selective communication with a plurality of authentication servers 135…Once the service has determined the appropriate authentication protocol, the service may transmit the authentication request to an authentication server 135 associated with that authentication protocol. The authentication server 135 may then process the authentication request…Authentication server 135 may validate the credentials received…and may provide a response to the requesting service on authentication broker 115, indicating whether the credentials have been successfully authenticated")
establishing a secure tunnel between the network access server and the policy management system; (e.g. [0010], "NAS 110 will generally be configured to communicate the authentication request to authentication broker 115 using a specific authentication protocol. For example, a first NAS 110 may communicate an authentication request to authentication broker 115 using the RADIUS protocol. Another NAS 110 may communicate an authentication request to 
receiving, through the secure tunnel and from the network access server, a remote authentication dial-in user service access request having a network access server internet protocol address; (e.g. [0010], "NAS 110 will generally be configured to communicate the authentication request to authentication broker 115 using a specific authentication protocol. For example, a first NAS 110 may communicate an authentication request to authentication broker 115 using the RADIUS protocol" [0012], "authentication broker 115 may include a first service which may be configured to receive incoming authentication requests in the RADIUS protocol directed to port 1812…Upon receipt of an authentication request, the service may determine at least a NAS identifier and a user identifier 
validating the network access server with the network access server internet protocol address by the policy management system; and (e.g. [0012], "the service may attempt to validate the identity of the requesting NAS 110. That is, the service may identify the specific NAS 110 transmitting the authentication request, and determine whether the NAS 110 is a trusted device. To determine the validity of a NAS 110 the service may compare the received NAS identifier to a list including identifiers associated with known trusted NAS devices 110. For instance, the service may receive an IP address from a NAS 110, and may compare the IP address to a list of trusted IP addresses. A list of identifiers associated with trusted NAS devices 110 may be stored, for example, on a database selectively accessible by authentication broker 115, such as NAS database 125")
allowing a remote authentication dial-in user service traffic when the internet protocol address of the network access server is validated and closing the 

 establishing when a digital certificate is validated. (e.g. [0086], "the internetwork authentication proxy can verify the identity of the network device trying to establish a connection" [0087], "transport layer security (TLS) is enforced. TLS is a natural choice for establishing a secure connection between a network device and internetwork authentication proxy. A network device that has the ability to obtain a TLS client certificate identifying its owner can use the certificate to establish a mutually authenticated TLS session with an internetwork authentication proxy that has the capability" [0088], "When establishing the TLS session, each end must authenticate the other…The internetwork authentication proxy, as the TLS server, can perform client verification to obtain the network device's certificate. By verifying the certificate the internetwork authentication proxy can associate the proper customer account with the session being established" [0090], "once the TLS session is established, the network device and the internetwork authentication proxy agree on a purpose for the session")
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings 
Claim 2, Hughes-Sakura combination teaches: 
caching an attribute from the digital certificate in the policy management system. (e.g. Hughes [0016], [0033]-[0035]; Sakura [0104])
Claim 3, Hughes-Sakura combination teaches: 
further comprising a plurality of secure tunnels, wherein each of the plurality of secure tunnels is for a different network access server. (e.g. Hughes [0010], [0019]-[0020])
Claim 4, Hughes-Sakura combination teaches: 
wherein the method occurs for a first remote authentication dial-in user service traffic request for the secure tunnel between the network access server and the policy management system. (e.g. Hughes [0010], [0012], [0019]-[0020])
Claim 5, Hughes-Sakura combination teaches: 
wherein the validating the network access server with the network access server internet protocol address by the policy management system comprises 
Claim 6, Hughes-Sakura combination teaches: 
wherein the secure tunnel is a transport layer security tunnel. (e.g. Sakura [0087]-[0088], [0090]) 
Claim 7, Hughes-Sakura combination teaches: 
wherein the validating comprises comparing the network access server internet protocol address to a validation configuration of the policy management system. (e.g. Hughes [0012], [0030]-[0032])
Claim 8, Hughes-Sakura combination teaches: 
wherein the validating the network access server with the network access server internet protocol address by the policy management system comprises looking up a device configuration based on the network access server internet protocol address and comparing an attribute of the network access server to the device configuration. (e.g. Hughes [0012], [0030]-[0032])
Claim 9, Hughes-Sakura combination teaches: 
wherein the validating the network access server with the network access server internet protocol address by the policy management system comprises 
Claim 10, Hughes-Sakura combination teaches: 
wherein the secure connection comprises a transport layer security connection. (e.g. Hughes [0019]-[0020]; Sakura [0087]-[0088], [0090]) 
Claim 11, Hughes-Sakura combination teaches: 
wherein the digital certificate comprises at least one of a network access server serial number, an issuer, a common name, and a subject alternative name. (e.g. Hughes [0010]; Sakura [0087]-[0088], [0114])
Claim 12, Hughes-Sakura combination teaches: 
wherein a network address translation device internet protocol address is passed through the secure connection to the policy management system with the digital certificate. (Hughes [0010], [0012], [0019]-[0020])
Claim 13, Hughes-Sakura combination teaches: 
further comprising rejecting the network access server when the validating the digital certificate fails. (e.g. Hughes [0036]-[0037]; Sakura [0087]-[0088])
Claim 14, Hughes-Sakura combination teaches: 
wherein the network address translation device is at least one of a firewall and a load balancer. (e.g. Hughes [0019]-[0020])

Claim 16, this claim is directed to a system containing similar limitations as recited in claim 14 and is rejected using the same rationale to combine the references.
Claim 17, this claim is directed to a system containing similar limitations as recited in claim 7 and is rejected using the same rationale to combine the references.
Claim 18, this claim is directed to a medium containing similar limitations as recited in claim 1 and is rejected using the same rationale to combine the references.
Claim 19, this claim is directed to a medium containing similar limitations as recited in claim 2 and is rejected using the same rationale to combine the references.
Claim 20, this claim is directed to a medium containing similar limitations as recited in claim 7 and is rejected using the same rationale to combine the references.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: US 2018/0167812 discloses a method of granting access to a wireless network allowing approval by a trusted authenticator.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AMIE C LIN whose telephone number is (571)272-7752. The examiner can normally be reached M-F 9:00AM -5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, GELAGAY SHEWAYE can be reached on (571)272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about 





/AMIE C. LIN/Primary Examiner, Art Unit 2436